The number of disclosed vulnerabilities is on track to fall below 8,000 this year.
The number of disclosed vulnerabilities is on track to fall below 8,000 this year.

IBM's X-Force research team found that the number of publicly disclosed vulnerabilities is on track to dip below 8,000 bugs this year – a projected three-year low for disclosures.

The threat intelligence report for Q3, found that just over 3,900 new vulnerabilities were reported as affecting 926 vendors throughout the first half of the year. The report (PDF) said that, if the trend continues, the number of disclosed bugs will fall shy of 8,000 for the first time since 2011.

While IBM said it was “difficult to point to any one factor that has contributed to the decline in the number of vulnerability disclosures in 2014,” researchers noted that the number of vendors disclosing bugs had dipped significantly.

Last year, 1,602 vendors disclosed bugs affecting users, while only 926 vendors have done so, so far, in 2014, the report said.

“Even with the projected decline in the overall number of vulnerability disclosures in 2014, the number of vulnerabilities disclosed by the largest enterprise software vendors remains relatively unchanged year over year (34 percent in 2013, compared to 32 percent in 2014),” the report said.

In summary, the top 10 enterprise software vendors (which were noted as consistently disclosing a “significant number” of bugs) remained static, the findings showed.

In a Tuesday interview, Michael Hamelin, IBM X-Force lead security architect, told SCMagazine.com that another contributing factor for lowered disclosures could be that researchers were focusing on bugs that were “more difficult” to identity and analyze this year, leaving them to report fewer software flaws.

As the report noted, however, it's hard to overlook the fact that 676 fewer vendors disclosed vulnerabilities throughout this year.

“One thought was that a lot of the other [smaller] vendors hadn't participated,” Hamelin said, later adding that the hundreds of absent vendors caught the team's attention.

“We wondered whether the smaller vendors were not allocated the resources to participate in the vulnerability disclosure [process],” Hamelin said.