undefined | Better HN

0 pointsVexs11d ago0 comments

Published CVEs seems a bad metric to use for this- unless we assume that the ratio of really nasty vulns/not-too-bad vulns is consistent.

0 comments

carlmr11d ago

Also the question remains if more CVE laden code was produced in the first place, instead of automated detection improvements.

It's easier to find a needle in the haystack if the haystack is 50% needles.

red-iron-pine11d ago

have the AI vibe code crappy apps so the related AI vuln finder can fix them

just doubled the value and use cases of your AI solution!

marysol510d ago

They've been doing that for a long while.

Publish something to Github in a public repo? It pulls it, scans it, and reports!

Especially if you accidentally put in keys

om4211d ago

Another reason published CVEs isn't a great metric is that one of the largest contributors to the number of CVEs significantly increasing in the past couple years has been that the Linux kernel now submits almost all bugs as CVEs which wasn't the case before.

jcims11d ago

Good consideration but I still think there’s an uptick. This is all AI generated as I’m not in a spot to do anything more at the moment but this is a chart of ‘linux kernel’ CVEs rated as high/critical correlated with NVD.

https://imgur.com/a/0DrJuLU

marysol510d ago

There's been CVE's published for software that didn't even exist!

j / k navigate · click thread line to collapse