|
|
|
|
|
|
by quotheth
3054 days ago
|
|
|
Vulnerability counting is never a metric for security when comparing counts across products. It's very helpful for counting within a product. One simple example - A and B are browsers. A has a bounty program that they invest millions into, B does not. A gets 100 vulnerability reports a month, B gets 5. Is B safer? No. However, let's say we just look at A. It gets 100 a month, and then a new feature is added - suddenly it's 200 a month, and the vulns tend to be in the new codebase. That's interesting information for A - it has nothing to do with B. |
|
|