Open Letter on the Interpretation of "Vulnerability Statistics"

Open Letter on the Interpretation of "Vulnerability Statistics"
Author: Steve Christey, CVE Editor
Date: January 4, 2006


As the new year begins, there will be many temptations to generate,
comment, or report on vulnerability statistics based on totals from
2005. The original reports will likely come from publicly available
Refined Vulnerability Information (RVI) sources - that is,
vulnerability databases (including CVE/NVD), notification services,
and periodic summary producers.

RVI sources collect unstructured vulnerability information from Raw
Sources. Then, they refine, correlate, and redistribute the
information to others. Raw sources include mailing lists like
Bugtraq, Vulnwatch, and Full-Disclosure, web sites like PacketStorm
and Securiteam, blogs, conferences, newsgroups, direct emails, etc.

In my opinion, RVI sources are still a year or two away from being
able to produce reliable, repeatable, and COMPARABLE statistics. In
general, consumers should treat current statistics as suggestive, not

Vulnerability statistics are difficult to interpret due to several

- VARIATIONS IN EDITORIAL POLICY. An RVI source's editorial policy
dictates HOW MANY vulnerabilities are reported, and WHICH
vulnerabilities are reported. RVIs have widely varying policies.
You can't even compare an RVI against itself, unless you can be
sure that its editorial policy has not changed within the relevant
data set. The editorial policies of RVIs seem to take a few years
before they stabilize, and there is evidence that they can change

information from its own list of raw sources - web sites, mailing
lists, blogs, etc. RVIs can also use other RVIs as sources.
Apparently for competitive reasons, some RVIs might not identify
the raw source that was used for a vulnerability item, which is one
aspect of what I refer to as the provenance problem. Long gone are
the days when a couple mailing lists or newsgroups were the raw
source for 90% of widely available vulnerability information.
Based on what I have seen, the provenance problem is only going to
get worse.

an exhaustive set of cross-references, so no RVI can be sure that
it is 100% comprehensive, even with respect to its own editorial
policy. Some RVIs compete with each other directly, so they don't
cross-reference each other. Some sources could theoretically
support all public cross-references - most notably OSVDB and CVE -
but they do not, due to resource limitations or other priorities.

vary widely in skill sets, thoroughness, preference for certain
vulnerability types or product classes, and so on. This
collectively produces a bias that is not currently measurable
against the number of latent vulnerabilities that actually exist.
Example: web browser vulnerabilities were once thought to belong to
Internet Explorer only, until people actually started researching
other browsers; many elite researchers concentrate on a small
number of operating systems or product classes; basic SQL injection
and XSS are very easy to find manually; etc.

- UNMEASURABLE DISCLOSURE BIAS. Vendors and researchers vary widely
in their disclosure models, which creates an unmeasurable bias.
For example, one vendor might hire an independent auditor and patch
all reported vulnerabilities without publicly announcing any of
them, or a different vendor might publish advisories even for very
low-risk issues. One researcher might disclose without
coordinating with the vendor at all, whereas another researcher
might never disclose an issue until a patch is provided, even if
the vendor takes an inordinate amount of time to respond.

Note that many large-scale comparisons, such as "Linux vs. Windows,"
can not be verified due to unmeasurable bias, and/or editorial policy
of the core RVI that was used to conduct the comparison.


This is just a sample of variations in editorial policy. There are
legitimate reasons for each variation, usually due to audience needs
or availability of analytical resources.

COMPLETENESS (what is included):

1) SEVERITY. Some RVIs do not include very low-risk items such as a
bug that causes path disclosure in an error message in certain
non-operational configurations. Secunia and SecurityFocus do not
do this, although they might note this when other issues are
identified. Others include low-risk issues, such as CVE, ISS
X-Force, US-CERT Security Bulletins, and OSVDB.

2) VERACITY. Some RVIs will only publish vulnerabilities when they
are confident that the original, raw report is legitimate - or if
they're verified it themselves. Others will publish reports when
they are first detected from the raw sources. Still others will
only publish reports when they are included in other RVIs, which
makes them subject to the editorial policies of those RVIs unless
care is taken. For example, US-CERT's Vulnerability Notes have a
high veracity requirement before they are published; OSVDB and
CVE have a lower requirement for veracity, although they have
correction mechanisms in place if veracity is questioned, and CVE
has a two-stage approach (candidates and entries).

3) PRODUCT SPACE. Some RVIs might omit certain products that have
very limited distribution, are in the beta development stage, or
are not applicable to the intended audience. For example,
version 0.0.1 of a low-distribution package might be omitted, or
if the RVI is intended for a business audience, video game
vulnerabilities might be excluded. On the other hand, some
"beta" products have extremely wide distribution.

4) OTHER VARIATIONS. Other variations exist but have not been
studied or categorized at this time. One example, though, is
historical completeness. Most RVIs do not cover vulnerabilities
before the RVI was first launched, whereas others - such as CVE
and OSVDB - can include issues that are older than the RVI
itself. As another example: a few years ago, Neohapsis made an
editorial decision to omit most PHP application vulnerabilities
from their summaries, if they were obscure products, or if the
vulnerability was not exploitable in a typical operational

ABSTRACTION (how vulnerabilities are "counted"):

5) VULNERABILITY TYPE. Some RVIs distinguish between types of
vulnerabilities (e.g. buffer overflow, format string, symlink,
XSS, SQL injection). CVE, OSVDB, ISS X-Force, and US-CERT
Vulnerability Notes perform this distinction; Secunia, FrSIRT,
and US-CERT Cyber Security Bulletins do not. Bugtraq IDs vary.
As vulnerability classification becomes more detailed, there is
more room for variation (e.g. integer overflows and off-by-ones
might be separated from "classic" overflows).

6) REPLICATION. Some RVIs will produce multiple records for the
same core vulnerability, even based on the RVI's own definition.
Usually this is done when the same vulnerability affects multiple
vendors, or if important information is released at a later date.
Secunia and US-CERT Security Bulletins use replication; so might
vendor advisories (for each supported distribution). OSVDB,
Bugtraq ID, CVE, US-CERT Vulnerability Notes, and ISS X-Force do
not - or, they use different replication than others.
Replication's impact on statistics is not well understood.

7) OTHER VARIATIONS. Other abstraction variations exist but have
not been studied or categorized at this time. As one example, if
an SQL injection vulnerability affects multiple executables in
the same product, OSVDB will create one record for each affected
program, whereas CVE will combine them.


8) RVIs differ in how quickly they must release vulnerability
information. While this used to vary significantly in the past,
these days most public RVIs have very short timelines, from the
hour of release to within a few days. Vulnerability information
can be volatile in the early stages, so an RVI's requirements for
timeliness directly affects its veracity and completeness.


9) All RVIs deal with limited resources or time, which significantly
affects completeness, especially with respect to veracity, or
timeliness (which is strongly associated with the ability to
achieve completeness). Abstraction might also be affected,
although usually to a lesser degree, except in the case of
large-scale disclosures.


In my opinion:

You should not interpret any RVI's statistics without considering its
editorial policy. For example, the US-CERT Cyber Security Bulletin
Summary for 2005 uses statistics that include replication. (As a side
note, a causal glance at the bulletin's contents makes it clear that
it cannot be used to compare Windows to Linux as operating systems.)

In addition, you should not compare statistics from different RVIs
until (a) the RVIs are clear about their editorial policy and (b) the
differences in editorial policy can be normalized. Example: based on
my PRELIMINARY investigations of a few hours' work, OSVDB would have
about 50% more records than CVE, even though it has the same
underlying number of vulnerabilities and the same completeness policy
for recent issues.

Third, for the sake of more knowledgeable analysis, RVIs should
consider developing and publishing their own editorial policies.
(Note that based on CVE's experience, this can be difficult to do.)
Consumers should be aware that some RVIs might not be open about their
raw sources, veracity analysis, and/or completeness.

Finally: while RVIs are not yet ready to provide usable, conclusive
statistics, there is a solid chance that they will be able to do so in
the near future. Then, the only problem will be whether the
statistics are properly interpreted. But that is beyond the scope of
this letter.

Steve Christey
CVE Editor

P.S. This post was written for the purpose of timely technical
exchange. Members of the press are politely requested to consult me
before directly attributing quotes from this article, especially with
respect to stated opinion.