Researchers of the Comparitech team have dug deep into the “CVE Details” database, analyzing data from 1999 to 2019. The source contains over 64,000 logged flaws for 50 vendors and 73,000 across 50 products. So, which vendor and which product top the lists, and what does this mean exactly for their security?
Counting from 1999 to 2019, Microsoft sits at the top with 6,700 vulnerabilities, Oracle is second with 5,500, and IBM is third with 4,600. Google, Apple, and Cisco follow closely behind, while the rest of the list mostly concerns Linux and open-source projects in general.
Debian had a spike in vulnerability reports in 2018, logging a whopping 1,200, and this also happens to be the record-breaking year in general, recording a total increase of 19.3% compared to 2017.
As for the products with the most distinct vulnerabilities, Debian Linux comes first, Android second, and the Linux kernel third. Windows 7, 10, Server 2008, Firefox, MacOS X, Ubuntu, Chrome, and the iOS follow right after.
So, does this mean that Debian Linux is extremely insecure and vulnerable to a wide range of exploitation scope? The answer is "not necessarily." Finding and reporting bugs is a key step in the process of securing a product, as you can’t fix what remains undiscovered.
Surely, finding a large number of flaws in software code indicates that the developers were not careful enough or very considerate towards matters of security when they were writing code, but this is not to be determined by these stats alone.
In Linux and open-source software, we often see the introduction of bugs happening through code and commits that come from a large number of contributors, and it's hard to scrutinize them all properly. Many of those who are reviewing the contributions are volunteering themselves, so there’s a lot that can slip through.
On the other side, open-source projects enjoy big help from user reports, who are generally more tech-savvy. Thus, the "free software" userbase is more prone to fiddling with things, more capable of discovering flaws, and in full conscience on the importance of reporting them.
As for why Microsoft, Oracle, IBM, Google, Apple, and Cisco are at the top of the vendors' list, this is simple to explain too. These are firms that maintain an extensive and complex ecosystem of products, employ teams of full-time security engineers who dig in the code on a daily basis, and run very alluring bug bounty programs that enjoy a constant source of bug reports.