Are the number of vulnerabilities going up? is Symantec counting wrong?

[Henrik Lund Kramshøj <hlk () kramse dk>]

Hi there

In todays mail I read from
SECURITY WIRE DIGEST, VOL. 5, NO. 10, FEBRUARY 6, 2003
that
*NEW REPORT: ATTACKS DOWN, VULNERABILITIES UP
Attacks on Internet-connected machines were down, while the number of
exploitable software vulnerabilities went up--way up--during the second
half of 2002, according to a biannual report by enterprise security
solutions provider Symantec. The 30-attacks-per-week average for 
companies
monitored by the AV software giant represents a 6 percent drop from the
first half of 2002. Less than 2 percent of all incidents reported
represented aggressive attacks, while a whopping 85 percent were more
along the lines of probes for holes to exploit, according to the 
Internet
Security Threat Report. Along those lines, Symantec recorded more than
2,500 newly identified vulnerabilities in various software products 
during
all of 2002, an 81.5 percent increase over the previous year.
http://enterprisesecurity.symantec.com/content.cfm?articleid=1539

what is going on here?
I have read this several places now, and it bugs me

if you go read the report,  its says stuff like:
"The total number of new, documented vulnerabilities in
2002 was 81.5% higher than in 2001."
"Symantec documented 2,524 new vulnerabilities
over the past year, which amounted to an 81.5%
increase over 2001."

I guess they mean that securityfocus, owned by Symantec now,
copied from bugtraq mail folder to their website, and thereby 
"documented".

but what is going on here, if I read the statistics at
http://icat.nist.gov/icat.cfm?function=statistics

It says
Total Vulnerability Count
Year Vulnerability Count
2003 34
2002 1307
2001 1506
2000 990

so 1307 vulns for 2002, down from 1506 in 2001!
as a rule of thumb I sometimes say the number of known vulnerabilities
currently grow by "about" 100 new per month.

Can someone explain this?
- or does Symantec have a load of vulns they haven't disclosed yet ;-)

I know that securityfocus is sometimes ahead of CVE, which is fine, but
why does ICAT/CVE say 1307 vulns for 2002, while Symantec say 2500?

Is this just to stir up some fear and sell more products (not that I 
have anything
against their products, and I buy their antivirus regularly for people 
I know)

Best regards

--
Henrik Lund Kramshøj
hlk@{kramse.dk|inet6.dk|sikkerhedsforum.dk|security6.net}
Please read email policy at http://www.kramse.dk/email
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html