Steve Christey, the CVE Editor from MITRE, and I gave a presentation at Black Hat Briefings 2013 on the problems we have witnessed over the years with poor vulnerability statistics. Rather than just debunk a handful, which we did, we also went into extensive detail on the different types of bias that ultimately lead to these bad stats. In addition to showing concrete examples of how the bias plays out, and how a single researcher can significantly impact stats, we also point out examples of ‘good-ish’ stats, since we haven’t seen truly good ones yet. Why? The data sources are so primitive, but they are all we have right now. In addition to the the slides presented, we left in over 40 additional working slides that didn’t make the cut. As always, there is additional commentary, references, and notes in the PPT that weren’t seen in the presentation.
