An Independent Validation of Vulnerability Discovery Models

The vulnerability discovery process normally refers to the post-release stage where people identify and report security flaws of a released software. Vulnerability discovery models (VDM) operate on the known vulnerability data to estimate the total number of vulnerabilities present in the software. Successful models can be useful hints for both software vendors and users in allocating resources to handle potential breaches, and tentative patch update. For example, we do not exactly know the day of major snow falls but cities expect it to fall in winter and therefore plan resources for road clearing in that period. The effective planning is important because security bugs are different than "normal" bugs. A normal bugs might be filed and be scheduled for fixing in the next release. Meanwhile a security vulnerability might required an urgent patch to be shipped to customers lest their browser be subject to rogue campaigns. Major shifts in browser usage are often attributed to (real or pe...