The issue, though, is that he estimates that there also were 132,115 undisclosed vulnerabilities discovered last year. That means only 5.48% of them were disclosed to the public.Source: InformationWeek.
"To be sure, 139,362 new vulnerabilities in a single year is a colossal number, but is it wrong?" asked Ollmann in his blog entry. "Too many people underestimate the number of vulnerabilities in the software they use at home and in the enterprise office. Public vulnerability disclosures provide only a small window into the total number of vulnerabilities uncovered on an annual basis."
What does that mean to the IT or security manager trying to protect their network?
"If you're basing your protection strategy upon keeping up solely with public vulnerability disclosures, you're missing almost 95% of the vulnerabilities actually out there (this year)," said Ollmann. "If your defense systems are designed to protect against specific vulnerabilities (i.e. signature-based), it probably means that it was designed to protect a subset of publicly disclosed vulnerabilities. Preemptive protection engines are needed for the remaining 97% of annual vulnerabilities."
IBM: only 5% of bugs disclosed
Posted on Sunday, June 10 2007 @ 11:10 CEST by Thomas De Maesschalck