Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170714150537.3e2irp53kwj5xsn7@LykOS.localdomain>
Date: Fri, 14 Jul 2017 11:05:39 -0400
From: Santiago Torres <torresariass@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Estimate for the total number of exploitable bugs
 in large linux distro?

On Fri, Jul 14, 2017 at 12:34:01PM +0300, Georgi Guninski wrote:
> What is an estimate for the total number of exploitable bugs in large
> linux distro?
> 

You may want to look at[1] for the case of ArchLinux. Do consider the
caveat brought up by other people on the list: CVE numbers are not a 1:1
mapping to bugs (or even exploitable bugs). For example, there are
vendors that group all bugs discovered in a period (or with a conceputal
similarity) under one CVE number, whereas others take mutliple
variations of a bug and request an individual CVE for each. Needless to
say, some bugs never get a CVE ;).

> Also, does the total number decrease, increase or change in other way
> over time?

You could use the json api[2] on [1] to get a rolling count if you'd like
to measure this (also pasted on [3]]):

>>> import json, requests
>>> response = requests.get("https://security.archlinux.org/vulnerable/json")
>>> data = json.loads(response.content)
>>> len(data)
34

Cheers!
-Santiago.

[1] https://security.archlinux.org/vulnerable
[2] https://security.archlinux.org/vulnerable/json
[3] https://bpaste.net/show/faa58aab9b1e 

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.