daniel:// stenberg://

2 years ago

daniel:// stenberg://
2 years ago

Number of announced security vulnerabilities in #curl per year, separated into high/critical vs low/medium.

These are real severity levels, not the NVD spicy versions.

#curl

in reply to daniel:// stenberg://

Gustav Wengel

in reply to daniel:// stenberg:// 2 years ago

Damn what happened in 2016?

in reply to Gustav Wengel

daniel:// stenberg://

in reply to Gustav Wengel 2 years ago

there was a security audit that explains parts of it: daniel.haxx.se/blog/2016/11/23…

curl security audit | daniel.haxx.se

^{daniel.haxx.se}

This entry was edited (2 years ago)

in reply to daniel:// stenberg://

Gustav Wengel

in reply to daniel:// stenberg:// 2 years ago

yeah makes sense that would result in a solid spike. Really reassuring to see the amount of high critical vulns go down in the later years though! You're all doing great work

in reply to Gustav Wengel

daniel:// stenberg://

in reply to Gustav Wengel 2 years ago

@geewee thank you, I too like that fact, but it also required this split in severity to show, because of the increase of low/medium ones lately

@Gustav Wengel

in reply to daniel:// stenberg://

Gustav Wengel

in reply to daniel:// stenberg:// 2 years ago

Just shows not all vulnerabilities are born equal!

in reply to daniel:// stenberg://

Stefan Arentz

in reply to daniel:// stenberg:// 2 years ago

Would be interesting to see that next to some other metrics like community size or amount of change in the code base.

in reply to Stefan Arentz

daniel:// stenberg://

in reply to Stefan Arentz 2 years ago

@st3fan hm, let me see what I can do...

@Stefan Arentz

in reply to Stefan Arentz

daniel:// stenberg://

in reply to Stefan Arentz 2 years ago

@st3fan the issue then becomes that the vulns are counted on report date. It mostly looks messy if I add 12 month average number of LOC changed per month

@Stefan Arentz

⇧

daniel:// stenberg:// 2 years ago • •

daniel:// stenberg://
2 years ago