Discovery Trends¶
At a Glance
Vulnerability discovery volume is increasing, but composition is shifting. The headline CVE count has grown year over year for nearly a decade, yet the mix of bug classes looks markedly different today than it did in 2016. Memory corruption still dominates exploit-grade findings, but its share of total disclosed vulnerabilities is declining. Logic flaws, authentication bypasses, and supply chain weaknesses are filling the gap.
The deeper tension is that discovery is outpacing remediation capacity. Organizations absorbing thousands of new CVEs per quarter cannot patch at the rate vulnerabilities are published. Whether this imbalance is a temporary growing pain or a structural problem is the central question. Is this sustainable?
Hypothesis Testing¶
Three competing narratives circulate in the security community about what the rising CVE count actually means. Each has supporting evidence, each has critics, and none is fully right on its own. Examining them in sequence builds a more accurate picture than accepting any single framing.
Hypothesis 1: Bugs Are Becoming Harder to Find¶
The argument goes: as memory-safe languages replace C and C++, as codebases age and accumulate fuzzing coverage, and as the easiest targets get claimed early, the marginal cost of finding the next vulnerability rises. If true, we would expect the CVE rate to plateau or fall.
Evidence for this view:
- The NSA, CISA, and allied agencies have publicly called for adoption of memory-safe languages, citing that memory safety issues account for a large fraction of exploitable vulnerabilities. As Rust, Go, and Swift displace C in new code, the pool of memory-unsafe surface area grows more slowly.
- OSS-Fuzz has continuously fuzzed hundreds of high-priority open source projects since 2016. After years of coverage, each incremental fuzzing hour finds fewer bugs in those same projects.
- Mature bug bounty programs on well-tested applications show rising duplicate rates, a proxy for saturation within a fixed scope.
Evidence against this view:
- Total CVE issuance has grown year over year. The NVD recorded more CVEs in 2023 than in any prior year, with the trend continuing into 2024.
- New attack surfaces are expanding faster than old surfaces are hardening. Cloud-native infrastructure, IoT firmware, AI/ML model serving stacks, and connected vehicles each introduce categories of vulnerability that did not exist at meaningful scale a decade ago.
- The number of CVE Numbering Authorities (CNAs) has grown substantially, improving coverage of previously unreported software.
Verdict: This hypothesis is class-dependent. Memory corruption vulnerabilities are declining as a share of total disclosures, driven by safer languages and sustained fuzzing. But logic flaws, configuration errors, and supply chain weaknesses are growing in both absolute numbers and relative share, and new technology categories are continuously expanding the surface area. The aggregate bug rate is not falling.
Hypothesis 2: Discovery Is Increasing Due to Tools and Participation¶
The alternative narrative credits the rising CVE count to structural improvements on the hunter side: better tooling, more participants, and more organized disclosure infrastructure.
Evidence supporting this view:
- OSS-Fuzz has reported finding over 10,000 vulnerabilities in open source projects since its launch, with the count continuing to rise. Automated fuzzing is systematically turning over rocks that manual audits could not reach.
- Bug bounty platforms have grown substantially. HackerOne and Bugcrowd both publish annual reports showing year-over-year growth in valid vulnerability submissions, paid researchers, and program counts.
- The CNA ecosystem has expanded beyond major vendors. CNAs now include researchers, coordinating bodies, and national CERTs, improving coverage of vulnerabilities that previously went unreported or received only vendor-internal identifiers.
- Software complexity is a force multiplier. The average application now pulls in hundreds of transitive dependencies, each a potential vulnerability source. More code, more bugs, independent of whether bugs per line of code is changing.
Conclusion: Supported. The tooling and participation story is consistent with the data. Rising CVE volume reflects genuine capability improvements, not just more paperwork. The bugs were always there; we are finding more of them.
Hypothesis 3: Bug Bounty Is Approaching Saturation¶
A more pessimistic reading comes from experienced researchers who report declining returns on time invested in well-established programs. The argument is that public programs with years of testing history have been picked over, and the economics no longer justify the effort for all but the highest-tier researchers.
Evidence for this view:
- Duplicate rates on mature programs (those running more than three years on large platforms) are anecdotally higher than on newer programs, though platforms do not consistently publish this data.
- Researcher sentiment surveys, including the HackerOne Hacker-Powered Security Report, acknowledge that top researchers increasingly focus on private invitations and new program launches rather than competing in crowded public scopes.
- Average time-to-find for critical vulnerabilities in well-fuzzed targets is rising, consistent with lower-density bug populations.
Evidence against this view:
- Total bounty payouts across major platforms continue to grow year over year in absolute terms, suggesting the market is not contracting.
- New categories including AI/ML system vulnerabilities, blockchain smart contracts, and cloud-native infrastructure configurations are actively expanding scope. Programs covering these areas launched relatively recently and have not been saturated.
- Private programs, which represent a large and growing fraction of bounty activity, typically have less public data, making system-wide saturation claims difficult to substantiate.
Conclusion: Partially supported. Saturation effects are real within well-tested, long-running public programs on conventional web and API targets. But surface area is expanding faster than the researcher community can cover it. The saturation dynamic is local, not global.
Vulnerability Class Shifts¶
The aggregate CVE count masks important compositional changes. Where vulnerabilities come from has shifted substantially over the past decade.
Memory safety declining as share: Sustained fuzzing campaigns and gradual adoption of memory-safe languages have not eliminated memory corruption, but they have reduced its share of total disclosures. High-severity memory corruption bugs remain disproportionately represented in exploited-in-the-wild datasets, but the rate of new discoveries in this class is growing more slowly than others.
Web application vulnerabilities maturing: Injection, XSS, and CSRF have been well-understood for over twenty years. Tooling to detect them is widely available. They persist in large numbers because the web application surface is vast and newly written code repeats old mistakes, but the class is not expanding relative to the total.
Logic and authentication bugs growing: Flaws in how systems make authorization decisions, validate business rules, or handle state transitions are increasingly prominent. These bugs resist automated detection, require contextual understanding to discover, and are often high severity. See the Gaps: Logic Bugs section for a detailed treatment.
Supply chain emerging as distinct class: Dependency confusion, malicious package injection, compromised build pipelines, and typosquatting represent a category that barely registered before 2019. The SolarWinds and XZ Utils incidents demonstrated that supply chain compromise can achieve impact equivalent to direct exploitation at massive scale.
API security expanding: As architectures shift toward microservices and mobile-backend patterns, API attack surface has grown proportionally. Broken object-level authorization, mass assignment, and rate limit bypasses are categories the OWASP API Security Top 10 codified in 2019, and the surface area has grown substantially since.
The chart below illustrates the approximate shift in vulnerability class distribution from 2016 to 2024, based on CWE category trends and industry reporting.
Knowledge Gap
Exact class breakdowns are approximations derived from CWE category trends in NVD data, MITRE reporting, and industry analyses. Different methodologies for assigning vulnerability classes produce materially different distributions. The directional trends (memory safety share declining, supply chain growing) are well-supported, but the specific percentages should not be treated as precise measurements.
Discovery-to-Remediation Gap¶
Rising discovery volume only creates risk if remediation cannot keep pace. The evidence suggests a widening structural gap.
Patch latency trends: Mean time to remediate (MTTR) has not improved proportionally with disclosure volume. For critical severity vulnerabilities, Kenna Security and Cyentia Institute research found that even well-resourced organizations take more than 30 days on average to patch critical findings, with long-tail distributions where a significant fraction remain unpatched for months. MTTR for lower-severity findings is substantially longer.
Vulnerability backlog growth: Organizations running continuous scanning against their environments accumulate open findings faster than they close them. The backlog problem is compounded by vulnerability churn: dependencies update, new CVEs are assigned to already-deployed versions, and the patch list grows even when no new code is deployed internally. Veracode's State of Software Security report has repeatedly found that the median application carries open findings for many months.
MTTR by severity: The pattern is consistent across data sources. Critical severity findings receive priority attention and are patched fastest, often within 30 to 60 days for organizations with mature programs. High severity findings average 60 to 120 days. Medium and low findings can sit open for a year or more, accumulating into a background debt that is rarely eliminated.
Growing tool coverage without proportional remediation capacity: As automated discovery tools improve (see Coverage-Guided Fuzzing and Static Analysis), the pipeline of identified vulnerabilities grows. Without equivalent investment in remediation engineering, triage, and patching workflows, more findings means more backlog, not more security.
Remediation Debt
The discovery-remediation gap represents compounding risk. Each day a known critical vulnerability remains unpatched in a production system is potential exposure. As discovery tools improve and the CVE rate rises, organizations that cannot scale their remediation workflows will see their effective attack surface grow even as their detection capability improves. Better visibility into vulnerabilities does not reduce risk unless it is paired with the capacity to close them.
For context on automated approaches to closing this gap, see Patch Generation.
The AI Inflection Point¶
The trends described above have developed over a decade of incremental improvement in tooling and participation. AI-assisted vulnerability discovery represents a potential step change rather than incremental progress.
Large language models and AI-assisted code analysis tools are beginning to demonstrate capability in identifying logic flaws, tracing data flow through complex call graphs, and generating test cases for edge conditions that traditional fuzzing misses. If this capability matures, it could substantially increase the rate at which vulnerabilities are discovered, particularly in the logic and authentication classes that have been most resistant to automated detection.
The implications cut in multiple directions. Faster automated discovery accelerates the already-strained remediation pipeline. If AI tools can find bugs faster than organizations can fix them, the discovery-remediation gap widens further. The same tools in adversarial hands could accelerate exploitation development. Researchers who previously provided high value through manual auditing face economic pressure as their time-intensive techniques are partially automated.
On the other side, AI-assisted patch generation and remediation tooling could grow alongside discovery capability. Whether discovery and remediation AI advance in parallel or discovery pulls ahead is an open question with significant implications for the ecosystem.
The Opportunities and AI page examines the constructive side of this dynamic in detail, including specific tool categories and research directions that are positioned to benefit from AI integration.
tags: - glossary
Glossary¶
| Term | Definition |
|---|---|
| AFL | American Fuzzy Lop, coverage-guided fuzzer |
| ASan | AddressSanitizer, memory error detector |
| CVE | Common Vulnerabilities and Exposures |
| AFL++ | Community-maintained successor to AFL, the de facto standard coverage-guided fuzzer |
| AEG | Automatic Exploit Generation, automated creation of working exploits from vulnerability information |
| ANTLR | ANother Tool for Language Recognition, parser generator used by grammar-aware fuzzers like Superion |
| AST | Abstract Syntax Tree, tree representation of source code structure used by static analyzers |
| BOD | Binding Operational Directive, mandatory cybersecurity directives issued by CISA |
| BOF | Buffer Overflow, writing data beyond allocated memory bounds, a common memory safety vulnerability |
| CFG | Control Flow Graph, directed graph representing all possible execution paths through a program |
| CGC | Cyber Grand Challenge, DARPA competition for autonomous vulnerability detection and patching |
| ClusterFuzz | Google's distributed fuzzing infrastructure that powers OSS-Fuzz |
| CodeQL | GitHub's query-based static analysis engine that treats code as a queryable database |
| CFAA | Computer Fraud and Abuse Act, US federal law governing computer security violations |
| CNA | CVE Numbering Authority, organization authorized to assign CVE IDs |
| CNNVD | China National Vulnerability Database of Information Security |
| CNVD | China National Vulnerability Database |
| Concolic | Concrete + Symbolic, execution that runs concrete values while tracking symbolic constraints |
| Corpus | Collection of seed inputs used by a coverage-guided fuzzer as the basis for mutation |
| Coverity | Synopsys commercial static analysis platform with deep interprocedural analysis |
| CPG | Code Property Graph, unified representation combining AST, CFG, and data-flow graph, used by Joern |
| CVSS | Common Vulnerability Scoring System, standard for rating vulnerability severity |
| CWE | Common Weakness Enumeration, categorization of software weakness types |
| DAST | Dynamic Application Security Testing, testing running applications for vulnerabilities |
| DBI | Dynamic Binary Instrumentation, modifying program behavior at runtime without recompilation |
| DFG | Data Flow Graph, graph representing how data values propagate through a program |
| DPA | Differential Power Analysis, extracting cryptographic keys by analyzing power consumption variations |
| Frida | Dynamic instrumentation toolkit for injecting scripts into running processes |
| Harness | Glue code connecting a fuzzer to its target, defining how fuzzed input is delivered |
| HWASAN | Hardware-assisted AddressSanitizer, ARM-based variant of ASan with lower overhead |
| IAST | Interactive Application Security Testing, combines elements of SAST and DAST during testing |
| Infer | Meta's open-source static analyzer based on separation logic and bi-abduction |
| JVN | Japan Vulnerability Notes, Japanese vulnerability information portal |
| KLEE | Symbolic execution engine built on LLVM for automatic test generation |
| LLM | Large Language Model, neural network trained on text/code, used for bug detection and code generation |
| LSAN | LeakSanitizer, detector for memory leaks, often used alongside AddressSanitizer |
| Meltdown | CPU vulnerability exploiting out-of-order execution to read kernel memory from user space |
| MITRE | Non-profit organization that maintains CVE, CWE, and ATT&CK frameworks |
| MTTR | Mean Time to Remediate, average duration from vulnerability disclosure to patch deployment |
| MSan | MemorySanitizer, detector for reads of uninitialized memory |
| NVD | National Vulnerability Database, NIST-maintained repository of vulnerability data |
| NIST | National Institute of Standards and Technology, US agency maintaining security standards and NVD |
| OpenSSF | Open Source Security Foundation, Linux Foundation project for open-source security |
| OSS-Fuzz | Google's free continuous fuzzing service for open-source software |
| OWASP | Open Worldwide Application Security Project, community producing security guides and tools |
| RCE | Remote Code Execution, vulnerability allowing an attacker to run arbitrary code on a target system |
| RL | Reinforcement Learning, ML paradigm where agents learn through reward-based feedback |
| S2E | Selective Symbolic Execution, whole-system analysis platform combining QEMU with KLEE |
| SARIF | Static Analysis Results Interchange Format, standard for exchanging static analysis findings |
| SAST | Static Application Security Testing, analyzing source code for vulnerabilities without execution |
| SCA | Software Composition Analysis, identifying known vulnerabilities in third-party dependencies |
| Seed | Initial input provided to a fuzzer as the starting point for mutation |
| Semgrep | Lightweight open-source static analysis tool using pattern-matching rules |
| Side-channel | Attack vector exploiting physical implementation artifacts rather than algorithmic flaws |
| SMT | Satisfiability Modulo Theories, solver used by symbolic execution to find inputs satisfying path constraints |
| Spectre | Family of CPU vulnerabilities exploiting speculative execution to leak data across security boundaries |
| SQLi | SQL Injection, injecting malicious SQL into queries via unsanitized user input |
| SSRF | Server-Side Request Forgery, tricking a server into making requests to unintended destinations |
| SymCC | Compilation-based symbolic execution tool that is 2--3 orders of magnitude faster than KLEE |
| Taint analysis | Tracking the flow of untrusted data from sources to security-sensitive sinks |
| VDP | Vulnerability Disclosure Program, formal process for receiving vulnerability reports |
| TOCTOU | Time-of-Check-Time-of-Use, race condition between validating a resource and using it |
| TSan | ThreadSanitizer, detector for data races in multithreaded programs |
| UAF | Use-After-Free, accessing memory after it has been deallocated |
| UBSan | UndefinedBehaviorSanitizer, detector for undefined behavior in C/C++ |
| Valgrind | Dynamic binary instrumentation framework for memory debugging and profiling |
| XSS | Cross-Site Scripting, injecting malicious scripts into web pages viewed by other users |
| Fine-tuning | Adapting a pre-trained ML model to a specific task using additional training data |
| AUTOSAR | Automotive Open System Architecture, standardized software framework for automotive ECUs |
| CAN | Controller Area Network, vehicle bus standard for microcontroller communication |
| DNP3 | Distributed Network Protocol, used in SCADA and utility systems |
| EDK II | EFI Development Kit II, open-source UEFI firmware development environment |
| OPC UA | Open Platform Communications Unified Architecture, industrial automation protocol |
| RTOS | Real-Time Operating System, OS designed for real-time applications with deterministic timing |
| Abstract interpretation | Mathematical framework for approximating program behavior using abstract domains |
| Dataflow analysis | Tracking how values propagate through a program to detect bugs like taint violations |