Earlier this week X-Force previewed some new stats from the upcoming 2007 threat report. I was reading with interest some of the Web responses to the high-level data – particularly the conclusions people had come to – including the dramatic leap of saying that vulnerabilities had gone down because people were now selling them. Personally, I doubt that the commercial aspects of buying and selling vulnerabilities have anything but a marginal effect on the volume of disclosures last year.

As a quick recap, 2005 and 2006 both saw year-on-year increases in new vulnerabilities of around 40%. For 2007, the year-on-year figure was a 5.4 percent decrease – however high-impact vulnerabilities rose by 28 percent.

Based upon some of the comments I observed, a few people didn’t really understand that X-Force were talking about the rate of increase. That is to say there were over six and a half thousand brand new – never seen before – vulnerabilities added to the tens of thousands that businesses already have to protect themselves against. In that context, a 5.4 percent decrease can hardly deliver much good news – but I suppose it is better than an increase.

Some people also assumed that this is the first time that the year-on-year rate of new vulnerability disclosures has decreased. In fact, X-Force have been tracking vulnerability disclosure since 1995 and there have been other years where rates have dipped, but the graph shown only goes back to the start of millennium – hence the mistaken conclusions.

I guess the question for many people is “why the decrease?”

Here are my thoughts on what has probably influenced this marginal decrease in the rate of public disclosures (in order of influence value):

1. Decreasing Appeal – by that I mean, the disclosure numbers have become so large that finding a vulnerability has much less impact nowadays. Just a couple of years ago, there was still a lot of kudos associated with being able to say that you had discovered dozens of vulnerabilities. That street-cred has diminished of late largely due to the high volume of fuzzer-found vulnerabilities by what many would call script-kiddies and the “statistical insignificance” of many finds.
   Don’t get me wrong, there are still a lot of professional (and would-be-professional) bug-hunters seeking out new vulnerabilities. However, to differentiate themselves from the fuzzing script-kiddies there’s been an increased emphasis on only really pursuing high-impact vulnerabilities – i.e. bugs that will stand out amongst the statistical hordes. This is probably an influence on the percentage increase in high-impact vulnerability disclosures in 2007.
2. Vendor Improvements – in the way they test and QA new product releases have matured. Sure, this year’s top-10 vulnerable vendors probably looks much like any previous year, but most have been improving how they test the security of their products. It can be a little difficult to see because the major vendors are constantly releasing new software. If you take a look at the volume of products they supported throughout 2007 (both new products released in 2007 and previous years “current” product portfolios), you’ll probably notice that each had more software than ever before.
   However, the vast majority of software isn’t produced by the top-10 vendors – so John Doe’s auto-search PHP-scripted portal is unlikely to have been caught up in the “test the security before you ship it” movement.
3. Professional bug-hunters – have increasingly achieved what they sought – i.e. to get noticed, and be paid by the vulnerable vendors themselves. I know literally hundreds of reverse-engineers and researchers that have great track records for finding vulnerabilities. Just about all of them are now employed as full-time security consultants – selling their skills to the vendors of the software they used to publicly disclose vulnerabilities in.
   Just about all of them drove the “revolution” in security testing and QA back in 2004/2005, and now contract their skills to the vendors – driving the improvements from within. I guess a regular salary beats a few disclosures on Bugtraq.
   Now don’t conclude that these professional bug-hunters aren’t still finding new vulnerabilities outside their vendor contracts. They still are. However, the volume of new discoveries is less – due to a mix of finding the time necessary to do the research, and only really pursing the juicy high-impact vulnerabilities that would improve their reputation (and consequently their consulting rates).
4. Vulnerability purchase programs – have helped weed out a lot of the “lame” vulnerabilities and add an additional step (and time delay) to the vulnerability disclosure process. I think that many of the would-be-professional bug-hunters have found that, in order to earn money from their bugs, they have to do more work than just saying “if I do this, the application causes a stack overflow”.
   To sell their vulnerability, they have to prepare more information about their “security” flaw – all this takes time and effort. In addition, by going through this information gathering process, it becomes easier to uncover the exploit impact of the vulnerability – which probably causes more than a few would-be-professionals to go to the additional effort of proving that their “DoS” discovery could really be a reliable remote-access vulnerability (i.e. worth more money).

Obviously we’ll all be watching how vulnerability disclosures pan-out in 2008. I’m sure we’d all like to see the disclosure rate to continue to drop. However, there are a lot of dynamics to the vulnerability disclosure business and year-on-year rates have done unexpected things before.

Since so much of bug hunting is now tool-based using automated fuzzers, any substantial improvement in tool quality during 2008 could cause the total number of disclosures to sky rocket.