On Fri, Jul 14, 2017 at 10:22:32AM -0400, John Newman wrote: > Bugs that already have some PoC or other code to exploit the issue? Or > the sum total of all exploitable bugs, discovered and undiscovered? > > The first case should be relatively small with a very current > release.. the second case obviously could be different. >
I meant all bugs, including the unknown. > > > > Also, does the total number decrease, increase or change in other way > > over time? > > Without patching, discovered bugs will increase over time. The actual > number of bugs stays the same of course (again, without patching). > > Obviously you're a fool if you don't maintain your software... > Even with patching, adding new code introduces new bugs and versions change relatively often in general. There is some discussion on the oss-security mailing list, especially a short paper of @Dan Geer.
