Examination of Open Source Releases and Their
Vulnerabilities” published in the Proceedings of the 2012
ACM Conference on Computer and Communications Security,
demonstrate the number of exploitable bugs does not
always improve with each new release. They also found
the rate of discovery of exploitable bugs begins to drop
three to five years after the initial release.
Interestingly, none of these findings (including ours)
clearly indicate security bugs decrease as projects evolve.
Hence, such bugs and the attacks stemming from them
(SQL Injection Attacks, Cross-Site Scripting), appear to
be an issue that will continue to draw the attention of
researchers and practitioners alike.
[ 1] The present research is under the Action 2 of Athens University of Economics and
Business’ (AUEB) Research Funding Program for Excellence and Extroversion of the
academic year 2014/2015. It is financed by the University’s Research Center.
Dimitris Mitropoulos is a postdoctoral researcher at the Athens University of
Economics and Business. His research interests include application security, systems
security, software evolution and software engineering
(2240, no correlation: 1848)
(2780, no correlation: 2418)
(1967, no correlation: 1450)
(2212, no correlation: 1869)
(1217, no correlation: 1064)
(1677, no correlation: 1448)
(1970, no correlation: 1656)
(182, no correlation: 173)
(843, no correlation: 748)
Figure 1. Histograms of correlations between bug counts and version ordinals per project.
The total population size and the number of no correlation instances are shown in brackets.
Is what it cost to build the famous “Deep Crack” machine,
which broke a DES encrypted message during the DES
Challenge II- 2 in 56 hours on July 15, 1998.