Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 14 Jul 2017 12:04:20 -0600
From: Kurt Seifried <>
To: oss-security <>
Subject: Re: Estimate for the total number of exploitable bugs
 in large linux distro?

> On Fri, Jul 14, 2017 at 12:34:01PM +0300, Georgi Guninski wrote:
> > What is an estimate for the total number of exploitable bugs in large
> > linux distro?

First you need to define "distribution". Do we go with "all" the packages
shipped? Ok... what about things like firefox? 1500 CVEs... does
that count to the distribtion count?  What about non-free in Debian? Anyone
that ships Flash is also going to see their stats bumped way up.

Now we need to define "exploitable bugs", for example an exploit chain, is
that multiple bugs or do we count that as a single one for this discussion?
There's a lot of /tmp flaws that are "exploitable" but I can pretty much
guarantee nobody will ever bother.

I would then point out the only source of data anyone is mentioning is CVE.
And CVE has counting rules. For example if you find 100 XSS flaws in a php
app (because they forgot to use htmlspecialchars on output) in the same
version we'll assign a single CVE, not 100. So how many bugs do you count
this as?

CVE is also incomplete. There's lots and lots of vulns with no CVE
(something I'm trying to remediate with the DWF).

I would suggest before anyone continue this thread they go read:

it's largely a pointless discussion because the question isn't well
defined, and we know for a fact we don't have good data to answer it

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact:

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.