daniel:// stenberg://Mar 7

Looking back at all (now) published vulnerabilities in #curl that were present in code from 2020 until now, at no point in those years was the share of "C mistakes" higher than 15% of all vulns.

Through all years, the C mistake share of all vulnerabilities in #curl was never above 45% at any single point in history.

Show threadJake HowardMar 7
@bagder What changed ~2018? That's a pretty steep decline in C-related vulnerabilities.
Show threaddaniel:// stenberg://
@jake I can't say or spot any specific change or process we did that could explain that...
Mar 7 at 9:58pmWeb
Show threadPoliorceticsMar 7

@bagder @jake pure guess, maybe vulns in curl take years to discover (especially as software engineering techniques improve and make them harder to write in the first place) so we’re not yet seeing the « latest » vulns, only the old ones ?

It should be fairly easy to disprove though, @bagder do you have data on how long vuln stay in curl on average/median ?

Show threaddaniel:// stenberg://Mar 7
@poliorcetics @jake that's entirely true. Vulns in curl are 8 years old on average when reported! But also: there's no particular age difference between found vulns if they are C mistakes or not, so there's nothing that says they will change a lot. But we don't know...