Re: Estimate for the total number of exploitable bugs in large linux distro?

[Kurt Seifried <kseifried () redhat com>]

> On Fri, Jul 14, 2017 at 12:34:01PM +0300, Georgi Guninski wrote:
> > What is an estimate for the total number of exploitable bugs in large
> > linux distro?

First you need to define "distribution". Do we go with "all" the packages
shipped? Ok... what about things like firefox?
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox 1500 CVEs... does
that count to the distribtion count?  What about non-free in Debian? Anyone
that ships Flash is also going to see their stats bumped way up.

Now we need to define "exploitable bugs", for example an exploit chain, is
that multiple bugs or do we count that as a single one for this discussion?
There's a lot of /tmp flaws that are "exploitable" but I can pretty much
guarantee nobody will ever bother.

I would then point out the only source of data anyone is mentioning is CVE.
And CVE has counting rules. For example if you find 100 XSS flaws in a php
app (because they forgot to use htmlspecialchars on output) in the same
version we'll assign a single CVE, not 100. So how many bugs do you count
this as?

CVE is also incomplete. There's lots and lots of vulns with no CVE
(something I'm trying to remediate with the DWF).

I would suggest before anyone continue this thread they go read:

https://media.blackhat.com/us-13/US-13-Martin-Buying-Into-The-Bias-Why-Vulnerability-Statistics-Suck-Slides.pdf

it's largely a pointless discussion because the question isn't well
defined, and we know for a fact we don't have good data to answer it
(yet...).


-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com