Who finds more vulnerabilities in Microsoft products? What percentage of vulnerabilities are discovered by Microsoft, other companies or vulnerability brokers? How many flaws have unknown discoverers? Over this report we have analyzed the data of the last three and a half years with the aim of understanding who fixes what in the world of Microsoft products as well as the severity of these flaws. Thanks to this report we will gain an interesting insight into who really investigates Microsoft products, reports them in a responsible manner, as well as how many vulnerabilities are attributed to someone and how many are not (which might suggest that they are discovered by attackers).
Over this report we will address the doubts as to how many flaws Microsoft detect in their own code, how severe they are, the trend they follow and how many flaws are found by third parties either through recognition programs or their own means.
We have performed a very simple analysis. We have collected and processed all the information of attributed CVEs from March 2016 to September 2019. The source of information has been mainly the following webpage:
These are the attributed vulnerabilities (that is, the ones reported by a given identifiable user, either individual or company). In 2019 (until September), we have analyzed 621 attributed vulnerabilities. 607 in 2018, 593 in 2017 and 310 in 2016 (only since April). This represents a total of 2,131 vulnerabilities analyzed. From all of them, we have extracted their severity through the NIST’s official CVSS.
Nevertheless, these figures do not represent the total number of flaws discovered every month or year. Actually, we have also considered those flaws that were not directly attributed. We understand that most of these flaws may come from vulnerabilities found in 0-days or under other circumstances where the author is not known (and the vulnerability has not been reported anonymously). In such cases, Microsoft do not attribute the finding to anyone in particular. This difference between attributed and ‘non- attributed’ vulnerabilities (which is not the same as ‘anonymous’) is represented in the following chart.
- Google report over 17% of the vulnerabilities found in Microsoft products. Around 25% of the flaws are reported by the category ‘other’, that includes small companies that do not usually report, or freelance analysts.
- The third position is for Microsoft, since they detect more than 10% of their own flaws. They are followed very closely by the Chinese Qihoo 360, which nevertheless find more severe vulnerabilities than Microsoft.
- NCSC, iDefense and Check Point often report vulnerabilities with a severity over 5. In general, almost half of them are granted a severity degree of 8.
- In 2017 and 2018, Google led the number of vulnerabilities fixed in Microsoft products. Since 2016, the flaws found by Microsoft have been on the increase. However, during 2019 Qihoo 360 and ZDI have found a great number of vulnerabilities.
- Only 2% of attributes vulnerabilities are of maximum severity.
- In 2016, 25% of vulnerabilities were not attributed to anyone in particular. In 2019 (until September), only 9% of the vulnerabilities did not have a specific author. This may suggest that the number of flaws responsibly reported might have improved.
We may conclude that most of the vulnerabilities found in Microsoft (most of them with a severity of 8) are discovered by four main actors: Google, Qihoo, ZDI (that include independent researchers) and Microsoft. Over the last years the roles have changed, since Google and Microsoft have handed the first positions over to ZDI and Qihoo. It must be also noted the significant drop of non-attributed vulnerabilities (which are found and reported in a non-responsible manner). From 25% in 2016 to 9% in 2019, which means a better vulnerability management ⸺indeed via platforms as ZDI, where researchers are rewarded and encouraged to report vulnerabilities in a responsible way.