Re: Estimate for the total number of exploitable bugs in large linux distro?

[Santiago Torres <torresariass () gmail com>]

On Fri, Jul 14, 2017 at 12:34:01PM +0300, Georgi Guninski wrote:
> What is an estimate for the total number of exploitable bugs in large
> linux distro?

You may want to look at[1] for the case of ArchLinux. Do consider the
caveat brought up by other people on the list: CVE numbers are not a 1:1
mapping to bugs (or even exploitable bugs). For example, there are
vendors that group all bugs discovered in a period (or with a conceputal
similarity) under one CVE number, whereas others take mutliple
variations of a bug and request an individual CVE for each. Needless to
say, some bugs never get a CVE ;).

> Also, does the total number decrease, increase or change in other way
> over time?

You could use the json api[2] on [1] to get a rolling count if you'd like
to measure this (also pasted on [3]]):

> > > import json, requests
> > > response = requests.get("https://security.archlinux.org/vulnerable/json";)
> > > data = json.loads(response.content)
> > > len(data)
34

Cheers!
-Santiago.

[1] https://security.archlinux.org/vulnerable
[2] https://security.archlinux.org/vulnerable/json
[3] https://bpaste.net/show/faa58aab9b1e

Attachment: signature.asc
Description: