A new study due for public release Thursday shows vulnerabilities reported in commercial software applications fell significantly last year, but almost a quarter of those found were considered at high risk for exploitation.
The “2011 Top Cyber Security Risks Report,” based on data from HP’s DV Labs’ Zero-Day Initiative, HP Web Security Research Group and the Open Source Vulnerability Database, shows vulnerabilities in commercial applications were down from 8,502 in 2010 to 6,843 a year later – 24 percent of which were classified as “highly severe” by the National Vulnerability Database’s Common Vulnerability Scoring System.
Those overall numbers reflect a continuing downward trend for vulnerability disclosures since that figure peaked at some 11,000 reports in 2006, according to earlier risk reports.
However, an HP security product marketing manager told Network World the decrease applies only to commercially available software and does not address any vulnerabilities found in custom-coded applications and online tools. It’s possible that at least part of that 19.5% drop is due to more companies keeping discoveries just between themselves and bug hunters.
As software coding becomes more sophisticated, more time and expertise is needed to uncover vulnerabilities before they are actively exploited. That has, in turn, raised the stakes – and rates – for bug bounty programs in recent years and may also impact how many defects are reported.
“We think that this may be one of the reasons why we see the decline,” Jennifer Lake, security product marketing manager at HP DVLabs, told SCMagazine.com. “People are spending more time finding these vulnerabilities, and there’s a smaller pool that can find this level of vulnerability.”