Vulnerability Management

Almost 85% of your patching is for naught?

by Pete Lindstrom • August 16, 2008 • Comments Off

I was skimming IBM/ISS X-force mid-year report and happened across the statistics that 89.7% of vulnerabilities found by research organizations and 82.5% of vulnerabilities found by indepedent researchers have no associated exploit code.

My math shows a real rate of around 85% The information provided is a bit convoluted, but I think it goes like this:

3534 vulnerabilities found
16% of vulns anonymously disclosed = 566 vulns unaccounted for and 2968 left
70% of the 84% of vulns left over were found by independents = 2077 vulns
30% of the 84% were found by research orgs = 891 vulns
89.7% of 891 vulns is 800 and 82.5% of 2077 vulns is about 1714
so about 2500 of the 2968 vulns found didn't have an exploit for about 85% in reality

I can't really get to the bottom of the 16% associated with anonymous disclosure. It seems like the exploit numbers would be available, so maybe they were included even though the text reads (to me) like they aren't included.

Post navigation

← MBTA vs. MIT

How good is Microsoft’s SDL? →