Bounties keep reported bug count low, but severity high
The overall number of new vulnerabilities reported in 2011 has gone down, but the decline could be tied to companies offering higher price tags for information regarding flaws that are more difficult to find.
According to the biannual "2011 Top Cyber Security Risks Report" from HP Digital Vaccine Labs (DVLabs), set to be released Thursday, the downward progression in the number of new defects being reported may be indicative of trends in the vulnerability disclosure market.
The report's findings are based on a number of sources, including HP DVLabs' Zero Day Initiative, web application data from the HP Fortify Application Security Center (ASC) Web Security Research Group, and the Open Source Vulnerability Database (OSVD), an independent open source database.
In 2010, OSVD cataloged 8,502 reported vulnerabilities in internet-based systems, applications and other computing tools, but the latest report said the number fell nearly 20 percent, to 6,843, last year. Of those vulnerabilities reported, 24 percent were classified as “highly severe,” which means saboteurs can obtain complete control over a system.
Flaws in applications are rated through the National Vulnerability Database's Common Vulnerability Scoring System (CVSS) on a scale of one to 10. For a bug to be considered “highly severe,” it must fall within the eight to 10 range.
According to the report, the growing difficulty in uncovering vulnerabilities, in combination with the market value of bugs with high CVSS ratings, boosts the price tag for reported flaws. Dissecting this degree of vulnerability requires expertise and more time, thus fetching a higher payment from bug bounty programs or affected software vendors, said the report.
Most of the less critical flaws already were detected and fixed by the affected companies, or researchers didn't bother finding them in the first place -- thus accounting for the fewer number of total defects being reported.
Analyzing the severe bugs requires a strong expertise in the vulnerable application, Jennifer Lake, security product marketing manager at HP DVLabs, told SCMagazine.com on Tuesday.
“We think that this may be one of the reasons why we see the decline,” she said. “People are spending more time finding these vulnerabilities, and there's a smaller pool that can find this level of vulnerability.”
In addition to examining vulnerabilities, the report also analyzed changes in attack trends, the rise of infiltrations on a “smaller” set of known flaws, and improved techniques in carrying out security attacks.
Twice a year, HP DVLabs releases the study to map out the current threat landscape.