X
Business

ISS: Vulnerability counts fall in 2007; Do you buy it?

IBM's Internet Security Systems is previewing its X-Force report and disclosed a notable factoid: Vulnerability disclosures fell 5.4 percent in 2007 relative to 2006.
Written by Larry Dignan, Contributor

IBM's Internet Security Systems is previewing its X-Force report and disclosed a notable factoid: Vulnerability disclosures fell 5.4 percent in 2007 relative to 2006.

Here's the data in a chart as disclosed in the ISS blog:

Feel safer yet? You shouldn't.

ISS says that the decline is a statistical anomaly because the growth in vulnerabilities was large in 2005 and 2006. The 2007 decline could be just a statistical correction in an uptrend. ISS also notes that "although there was a decrease in overall vulnerabilities, high-priority vulnerabilities increased by 28 percent. Researchers could simply be focusing on the sometimes more difficult, high-priority finds."

I reckon that ISS' explanations are off on all counts. Vulnerabilities aren't down--disclosure is down. So where are these vulnerabilities going? Here are three not so comforting possibilities:

  • Hackers are selling vulnerabilities instead of disclosing them;
  • Hackers are banking vulnerabilities for later;
  • Or these vulnerabilities aren't disclosed and quietly patched. If a vulnerability is never disclosed and patched on the fly would you ever notice?

In any case, there's a lot happening under this surface data. Unfortunately, it'll take a few more years to see where the vulnerability trends lie.

Editorial standards