[vii]

From the underlying paper there are several interesting snippets https://arxiv.org/pdf/2009.01694.pdf

> while maintainers are aware of that they sometimes intentionally bypass the process, they were surprised of the magnitude of unreviewed patches

Would love to see an analysis of these changes - are they just simple merge style fixes or rearrangements, or more significant?

And then there is the hard to define distinction between a security bug and a normal bug, which is then mixed into the the incredible productivity and pace of kernel development:

> Koah-Hartman argues that only a small fraction of Linux kernel security fixes are assigned to CVE entries. From 2006-2018, 1005 CVEs were assigned to the kernel. He argues that, on average, bugs with CVE entries are 100 days fixed in mainline before they get a CVE assigned.

Seems there is long lag between the bug being introduced and the exploit discovered, so there must be many potential security exploits that are never discovered before they are fixed - and so are not practically exploitable as they never get into downstream distribution kernels.