alt Hacker NewsPublished CVEs seems a bad metric to use for this- unless we assume that the ratio of really nasty vulns/not-too-bad vulns is consistent.
Replies
om42 • yesterday at 4:31 PM
Another reason published CVEs isn't a great metric is that one of the largest contributors to the number of CVEs significantly increasing in the past couple years has been that the Linux kernel now submits almost all bugs as CVEs which wasn't the case before.
Also the question remains if more CVE laden code was produced in the first place, instead of automated detection improvements.
It's easier to find a needle in the haystack if the haystack is 50% needles.