[uola]

I wouldn't say "all projects". The statement is based on that they introduce and remove vulnerabilities at a certain rate. A project that introduces less vulnerabilities or finds them faster would be less likely to have privately known vulnerabilities at any given time.

[danielbarla]

Good point. Though without perfect hindsight (or looking at any given time), it's certainly possible that there are entire categories of privately known vulnerabilities which are not even on the public radar. So it's quite possible that the rate at which known vulnerabilities are fixed might be very misleading. I guess they would offer a good base for the discussion nevertheless.

[uola]

Sure, or if you find a way to find certain vulnerabilities quicker. A bug with 5 year life span that you can find in 1 month doesn't require you to find them too frequently and more projects that fixes such bugs in 1 year will also be vulnerable.

This is what I would assume someone like the NSA does. They would have calculated a window of where it's most advantageous for them to find a bug and will then spend the resources at that time. Both in terms of bug life time and severity, but also user share.

[eeZah7Ux]

> it's certainly possible that there are entire categories of privately known vulnerabilities which are not even on the public radar

This happened many times for both closed on open source projects. Not surprisingly, given how much is paid for a 0-day.