We examine vulnerabilities in product code, like software and firmware, and their implementation in information systems.

Vulnerabilities known only to closed groups, like cyber criminals, brokers, and governments, pose a significant risk to all users of the affected software.

Data from rigorous testing shows that 100% attack prevention is an illusion. Organizations should assume compromise and prioritize breach detection alongside prevention.

This white paper details how cybercriminals have refined malware to systematically bypass traditional defenses, sparking an arms race with defenders.

Our analysis of a decade of software vulnerabilities reveals that extrinsic factors significantly impact vulnerability discovery rates more than intrinsic properties like software quality.

We monitored security sites every 30 minutes for over 18 months, creating a unique dataset to compare CERT and private offerings.

We analyzed the patch development process of Microsoft and Apple from 2002 to 2007, using public vulnerability data to assess potential bias in vendor information.

Analyzing over 80,000 security advisories, we identified trends in zero-day exploits and measured the gap between exploit and patch availability.