Estimate for the total number of exploitable bugs in large linux distro?

Steve Kinney admin at
Sat Jul 15 07:48:33 PDT 2017

On 07/15/2017 04:54 AM, Georgi Guninski wrote:
> On Fri, Jul 14, 2017 at 10:22:32AM -0400, John Newman wrote:
>> Bugs that already have some PoC or other code to exploit the issue? Or
>> the sum total of all exploitable bugs, discovered and undiscovered?
>> The first case should be relatively small with a very current
>> release..  the second case obviously could be different.
> I meant all bugs, including the unknown.

The question reminds me of Donald Rumsfeld, with his "known knowns"
threats (exploits in the wild, patches available or high priority works
in progress), "known unknowns" (theoretically exploitable code but no
exploits reported, patching or redesign proceeds at routine priority),
and "unknown unknowns" (phantom fears and FUD).  By definition, you
can't count them all, and estimates will vary with the interests and
motivations of whoever does the estimating.

If I had to work up an estimate, I would want to look at all avaialble
historical data for both raw counts of discovered exploitable coding
errors and malfetures, and trends in the prevalence of same.  I would
also want to publish data developed by using the same protocol to
produce figures for other widely deployed families of kernels, to make
the information useful in practical contexts.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the cypherpunks mailing list