Bounties keep reported bug count low, but severity high

Share this article:

The overall number of new vulnerabilities reported in 2011 has gone down, but the decline could be tied to companies offering higher price tags for information regarding flaws that are more difficult to find.

According to the biannual "2011 Top Cyber Security Risks Report" from HP Digital Vaccine Labs (DVLabs), set to be released Thursday, the downward progression in the number of new defects being reported may be indicative of trends in the vulnerability disclosure market.

The report's findings are based on a number of sources, including HP DVLabs' Zero Day Initiative, web application data from the HP Fortify Application Security Center (ASC) Web Security Research Group, and the Open Source Vulnerability Database (OSVD), an independent open source database.

In 2010, OSVD cataloged 8,502 reported vulnerabilities in internet-based systems, applications and other computing tools, but the latest report said the number fell nearly 20 percent, to 6,843, last year. Of those vulnerabilities reported, 24 percent were classified as “highly severe,” which means saboteurs can obtain complete control over a system.

Flaws in applications are rated through the National Vulnerability Database's Common Vulnerability Scoring System (CVSS) on a scale of one to 10. For a bug to be considered “highly severe,” it must fall within the eight to 10 range.

According to the report, the growing difficulty in uncovering vulnerabilities, in combination with the market value of bugs with high CVSS ratings, boosts the price tag for reported flaws. Dissecting this degree of vulnerability requires expertise and more time, thus fetching a higher payment from bug bounty programs or affected software vendors, said the report.

Most of the less critical flaws already were detected and fixed by the affected companies, or researchers didn't bother finding them in the first place -- thus accounting for the fewer number of total defects being reported.

Analyzing the severe bugs requires a strong expertise in the vulnerable application, Jennifer Lake, security product marketing manager at HP DVLabs, told SCMagazine.com on Tuesday.

“We think that this may be one of the reasons why we see the decline,” she said. “People are spending more time finding these vulnerabilities, and there's a smaller pool that can find this level of vulnerability.”

In addition to examining vulnerabilities, the report also analyzed changes in attack trends, the rise of infiltrations on a “smaller” set of known flaws, and improved techniques in carrying out security attacks.

Twice a year, HP DVLabs releases the study to map out the current threat landscape.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

LEADS Act addresses gov't procedure for requesting data stored abroad

LEADS Act addresses gov't procedure for requesting data ...

Senators introduced the legislation last week as a means of amending the Electronic Communications Privacy Act (ECPA).

Report: Intrustion prevention systems made a comeback in 2013

Report: Intrustion prevention systems made a comeback in ...

A new report indicates that intrusion prevention systems grew 4.2 percent in 2013, with growth predicted to continue.

Mobile device security sacrificed for productivity, study says

Mobile device security sacrificed for productivity, study says

A Ponemon Institute study, sponsored by Raytheon, revealed that employees increasingly use mobile devices for work but cut corners and circumvent security.