Of any single product, CVE Details reckons, Android had the most reported vulnerabilities in 2016 – but as a vendor, Adobe still tops the list.
The analysis is limited by the fact that only vulnerabilities passing through Mitre's Common Vulnerabilities and Exposures (CVE) database are counted. That's a statistically worthwhile dataset, however, since 10,098 bugs were assigned numbers during 2016.
Even so, with 523 vulnerabilities landing a CVE number in 2016, Android carried nearly double the patch-load of Adobe Flash (which had 266 and was number four on the list).
It's worth noting that while Debian Linux (319 CVEs) and Ubuntu Linux (278 CVEs) landed second and third places, many of the CVEs attributed to those OSs will be inherited from third party packages included in the distributions.
By vendor, Adobe was the clear winner with 1,383 vulnerabilities, with Microsoft in second place at 1,325, Google third with 695, and Apple fourth at 611.
Android had a fairly torrid 2016 in terms of security stories. It inherited a TCP snooping bug from the Linux kernel (August); in the same month it emerged that a Qualcomm “god mode” bug reached production Android devices. The year ended with Mountain View patching the briefly-infamous Dirty COW bug.
It would, however, be unfair to attribute Android's “best in show” award solely to it being a buggy mess of insecure software whose patches are only guaranteed to reach Nexus devices.
Google does, after all, offer a generous and popular bug bounty scheme, making it an attractive target for white- as well as black-hat attackers. The program stretches all the way to US$50,000 if you can manage remote pwnage of TrustZone or Verified Boot.
Researchers have clearly lavished extra love on The Chocolate Factory in 2016: in the CVE Details 2015 analysis, the top four vendors were Adobe (1,588), Microsoft (1,466), Apple (1,264) and Redhat (a paltry 576). ®