Symantec Global internet Security threat report
Appendix C—Vulnerability Trends Methodologies
Symantec operates one of the most popular forums for the disclosure and discussion of vulnerabilities on the internet, the Bugtraq™ mailing list,223 which has approximately 50,000 direct subscribers who contribute, receive, and discuss vulnerability research on a daily basis. Symantec also maintains one of the most comprehensive vulnerability databases, currently consisting of over 35,000 vulnerabilities (spanning more than two decades) affecting more than 80,000 technologies from over 11,000 vendors.
Following the discovery and/or disclosure of a new vulnerability, Symantec analysts gather all relevant characteristics of the new vulnerability and create an alert. this alert describes important traits of the vulnerability, such as the severity, ease of exploitation, and a list of affected products. these traits are subsequently used both directly and indirectly for this analysis.
After discovering a new vulnerability, Symantec threat analysts classify the vulnerability into one of 12 possible categories based on the available information. these categories focus on defining the core cause of the vulnerability, as opposed to classifying the vulnerability merely by its effect.
the classification system is derived from the academic taxonomy presented by taimur Aslam, et al
,224 which provides a full description of the possible values below:
Boundary condition error
Access validation error
Origin validation error
input validation error
Failure to handle exceptional conditions
race condition error
Web browser vulnerabilities
this metric compares vulnerability data for major Web browsers, namely: Google Chrome, Microsoft internet Explorer, Mozilla Firefox, Opera, and Apple Safari. However, in assessing the comparative data, it should be noted that for this report the total number of vulnerabilities in these Web browsers is computed, including both vendor confirmed and non-vendor confirmed vulnerabilities.
the Bugtraq mailing list is hosted by SecurityFocus (http://www.securityfocus.com). Archives are available at http://www.securityfocus.com/archive/1 “Use of a taxonomy of Security Faults”: http://ftp.cerias.purdue.edu/pub/papers/taimur-aslam/aslam-krsul-spaf-taxonomy.pdf