Software systems inherently contain vulnerabilities that have been exploited in the past resulting in significant revenue losses. The study of various aspects related to vulnerabilities such as their severity, rates of disclosure, exploit and patch release, and existence of common vulnerabilities in different products can help in improving the development, deployment, and maintenance process of software systems. It can also help in designing future security policies and conducting audits of past incidents. Furthermore, such an analysis can help customers to assess the security risks associated with software products of different vendors. In this paper, we conduct an exploratory measurement study of a large software vulnerability data set containing 56077 vulnerabilities disclosed since 1988 till 2013. We investigate vulnerabilities along following eight dimensions: (1) phases in the life cycle of vulnerabilities, (2) evolution of vulnerabilities over the years, (3) functionality of vulnerabilities, (4) access requirement for exploitation of vulnerabilities, (5) risk level of vulnerabilities, (6) software vendors, (7) software products, and (8) existence of common vulnerabilities in multiple software products. Our exploratory analysis uncovers several statistically significant findings that have important implications for software development and deployment.

中文翻译：

---

软件漏洞生命周期的大规模表征

软件系统固有地包含过去曾被利用的漏洞，从而导致重大的收入损失。研究漏洞的严重性、披露率、漏洞利用和补丁发布以及不同产品中存在的常见漏洞等与漏洞相关的各个方面，有助于改进软件系统的开发、部署和维护过程。它还可以帮助设计未来的安全策略和对过去的事件进行审计。此外，这样的分析可以帮助客户评估与不同供应商的软件产品相关的安全风险。在本文中，我们对包含 1988 年至 2013 年披露的 56077 个漏洞的大型软件漏洞数据集进行了探索性测量研究。我们从以下八个维度调查漏洞：(1) 漏洞生命周期的各个阶段，(2) 多年来漏洞的演变，(3) 漏洞的功能，(4) 漏洞利用的访问要求，(5) 风险漏洞级别，(6) 软件供应商，(7) 软件产品，以及 (8) 多个软件产品中存在常见漏洞。我们的探索性分析揭示了几个对软件开发和部署具有重要意义的具有统计意义的发现。(8) 多个软件产品中存在共同漏洞。我们的探索性分析揭示了几个对软件开发和部署具有重要意义的具有统计意义的发现。(8) 多个软件产品中存在共同漏洞。我们的探索性分析揭示了几个对软件开发和部署具有重要意义的具有统计意义的发现。