I would expect a trend that is somewhat "real" up to (current time - mean age of vuln * 1.5) or so.
And continuing said trend could estimate the number of currently unknown vulnerabilities. One would need to model the trend by extrapolation and/or using commit statistics.
Would it be possible to calculate a "risk factor" for each line of code based on its age? Or would that be complicated by modifications since the bug was introduced?
I think this is slightly better. Shows better how many really old #curl vulnerabilities we have had reported. Age of the flaw in number of the years on the y-axis, proper date of the report on the x-axis.
did I understand correctly that since 2020, 12 vulnerability older than 20 years have been fixed? I would have expected that the age of the oldest vuln found would have plateaued at one point (probably at 10-12 years old), but it seems not.
And do we have a graph that shows when a vulnerability was used (first use to beeing fixed) in the x axis and the age of the vuln in the y axis? But I don't expect that we have such data, or so unreliable it's not even useful.
The question I try to answer is "are very old vulns used in practice, and is it as big of a deal as I think at first glance?".
Because the is a chance that if researchers didn't found them earlier, pirates didn't either.
Simon Michalke
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Simon Michalke • • •Simon Michalke
in reply to daniel:// stenberg:// • • •I would expect a trend that is somewhat "real" up to (current time - mean age of vuln * 1.5) or so.
And continuing said trend could estimate the number of currently unknown vulnerabilities. One would need to model the trend by extrapolation and/or using commit statistics.
Tomas Vondra
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Tomas Vondra • • •Tomas Vondra
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to daniel:// stenberg:// • • •Marcos Dione
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to daniel:// stenberg:// • • •Tom
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Tom • • •this graph is not very good for actually spotting exactly when the vulns were introduced. It shows when they were fixed and how old they were then.
To see when they were introduced, a better graph is here: curl.se/dashboard1.html#vulns-…
curl - Project status dashboard
curl.seTom
in reply to daniel:// stenberg:// • • •robinm
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to robinm • • •robinm
in reply to daniel:// stenberg:// • • •And do we have a graph that shows when a vulnerability was used (first use to beeing fixed) in the x axis and the age of the vuln in the y axis? But I don't expect that we have such data, or so unreliable it's not even useful.
The question I try to answer is "are very old vulns used in practice, and is it as big of a deal as I think at first glance?".
Because the is a chance that if researchers didn't found them earlier, pirates didn't either.