Great news. Patch load drops 20% for the first time in 10 years. Bad news: Well, you've heard about coronavirus?

Fix the crits, sort out the rest later

10 Reg comments Got Tips?

Over the first quarter of 2020, the number of security bugs disclosed by software makers fell 20 per cent though not for any of the right reasons, it seems.

Analysts at Risk Based Security cited both internal data and public reports from vendors in putting the number of security vulnerabilities reported over the first three months of the year at 4,968, down from 6,198 over the same period in 2019.

This marks the first time in 10 years that the biz has seen a drop from the previous year's quarter.

While the analysts are not certain why there was such a sharp fall, they say it's probable that the dip had more to do with COVID-19 coronavirus outbreak, and resulting economic downturn, than any sudden improvements in the quality of code being written.

"The big outlier and unknown is COVID-19," Brian Martin, Risk Based Security's vice president of vulnerability intelligence, told The Reg. "That speculation is what we were thinking months ago, though we didn't expect [the number] to go down so much."

One likely explanation, Martin told us, is that there are simply more vulnerability reports incoming than there are people at vendors who can handle them. With offices cleared out, productivity down as folks adjust to home working, and job cuts becoming more prevalent to reduce costs, many software makers could be struggling to keep up, with Chinese vendors getting hit earliest, followed by Europe and the US.

"A company may say we are down on our staff, we might only write advisories for critical vulnerabilities," Martin said. "At the end of the year as companies staff their security teams back up we might see them retroactively release advisories."

Lot of crits out there

This, as Martin noted, can be dangerous for end users and companies, as they stand to miss out on patches for issues that aren't being publicly documented or addressed at all. He reckoned that, for the quarter, some 561 reported bugs were not given CVE numbers, and 60 per cent of those were critical issues, such as remote code execution bugs.

The number of publicly disclosed bugs is likely to pick up over the course of the year, and as the backlogs start to get sorted out, the analyst believes the total tally could climb back up around 6,000, still down slightly from 2019, but more in line with the levels seen in previous years.

That recovery, however, could take some time, and Martin told The Reg we're likely to see vendors looking to play catch-up by backloading non-essential patching and documentation towards the end of the year and into the first quarter of 2021.

In other words, don't be too surprised if, later this year, we get a flood of security advisories that reference bugs from the early months of the year. It doesn't mean that we're being overloaded with zero-days, rather it will just be a matter of companies getting caught up on publicly disclosing things from the first quarter.

"Even though the solution may have been made in February, the advisory won't come out until November," Martin said. "It could carry on into the New Year, in the fourth quarter or Q1 of 2021 we might see it." ®


Biting the hand that feeds IT © 1998–2020