Bounties keep reported bug count low, but severity high

Share this article:

The overall number of new vulnerabilities reported in 2011 has gone down, but the decline could be tied to companies offering higher price tags for information regarding flaws that are more difficult to find.

According to the biannual "2011 Top Cyber Security Risks Report" from HP Digital Vaccine Labs (DVLabs), set to be released Thursday, the downward progression in the number of new defects being reported may be indicative of trends in the vulnerability disclosure market.

The report's findings are based on a number of sources, including HP DVLabs' Zero Day Initiative, web application data from the HP Fortify Application Security Center (ASC) Web Security Research Group, and the Open Source Vulnerability Database (OSVD), an independent open source database.

In 2010, OSVD cataloged 8,502 reported vulnerabilities in internet-based systems, applications and other computing tools, but the latest report said the number fell nearly 20 percent, to 6,843, last year. Of those vulnerabilities reported, 24 percent were classified as “highly severe,” which means saboteurs can obtain complete control over a system.

Flaws in applications are rated through the National Vulnerability Database's Common Vulnerability Scoring System (CVSS) on a scale of one to 10. For a bug to be considered “highly severe,” it must fall within the eight to 10 range.

According to the report, the growing difficulty in uncovering vulnerabilities, in combination with the market value of bugs with high CVSS ratings, boosts the price tag for reported flaws. Dissecting this degree of vulnerability requires expertise and more time, thus fetching a higher payment from bug bounty programs or affected software vendors, said the report.

Most of the less critical flaws already were detected and fixed by the affected companies, or researchers didn't bother finding them in the first place -- thus accounting for the fewer number of total defects being reported.

Analyzing the severe bugs requires a strong expertise in the vulnerable application, Jennifer Lake, security product marketing manager at HP DVLabs, told SCMagazine.com on Tuesday.

“We think that this may be one of the reasons why we see the decline,” she said. “People are spending more time finding these vulnerabilities, and there's a smaller pool that can find this level of vulnerability.”

In addition to examining vulnerabilities, the report also analyzed changes in attack trends, the rise of infiltrations on a “smaller” set of known flaws, and improved techniques in carrying out security attacks.

Twice a year, HP DVLabs releases the study to map out the current threat landscape.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.