Abstract
We study the vulnerability reports in the Common
Vulnerability and Exposures (CVE) database by using topic
models on their description texts to find prevalent vulnerability
types and new trends semi-automatically. In our study of the
39,393 unique CVEs until the end of 2009, we identify the
following trends, given here in the form of a weather forecast:
PHP: declining, with occasional SQL injection.
Buffer Overflows: flattening out after decline.
Format Strings: in steep decline.
SQL Injection and XSS: remaining strong, and rising.
Cross-Site Request Forgery: a sleeping giant perhaps, stirring.
Application Servers: rising steeply.
Refereed
No