<<< Date Index >>>     <<< Thread Index >>>

Vulnerability Type Distributions in CVE



(note: HTML versions of the tables in this paper are included on the
web site, whose URL is given below.  Some mailing list programs seem
to be mishandling the encoding of the HTML tables, or rejecting them
due to size constraints.)


==========================================================
Vulnerability Type Distributions in CVE
==========================================================
Author: Steve Christey
Date: October 4, 2006
Document version: 1.0
URL: http://cwe.mitre.org/documents/vuln-trends.html


This is a draft report and does not represent an official position of
The MITRE Corporation. Copyright (c) 2006, The MITRE Corporation. All
rights reserved. Permission is granted to redistribute this document
if this paragraph is not removed. This document is subject to change
without notice.


=============================
===== Table of Contents =====
=============================

Introduction
Summary of Results
Data Sets
Trend Table Color Key
Table 1 Analysis: Overall Trends
Table 2 and 3 Analysis: OS vs. non-OS
Table 4 Analysis: Open and Closed Source
Possible Future Work
Notes on Potential Bias
(In)Frequently Asked Questions
Credits
References
Flaw Terminology
Table 1: Overall Results
Table 2: OS Vendors
Table 3: OS Vendors vs. Others
Table 4: Open and Closed Source (OS vendors)


========================
===== Introduction =====
========================

For the past 5 years, CVE has been tracking the types of errors that
lead to publicly reported vulnerabilities, and periodically reporting
trends on a limited scale.  In support of the Common Weakness
Enumeration (CWE) project [1], and as a result of the interest in this
work as mentioned during the "Year of the web application: Hack & Data
from the Front lines" panel at the 5th Annual Cyber Security Executive
Summit in New York City on September 13, 2006, we have published a
more extensive analysis.  An updated version will be released once
2006 is complete.

The primary goal of this study is to better understand research trends
using publicly reported vulnerabilities.  It should be noted that the
data is obtained from an uncontrolled population, i.e., decentralized
public reports from a research community with diverse goals and
interests, with an equally diverse set of vendors and developers.
More specialized, exhaustive, and repeatable methods could be devised
to evaluate software security.  But until such methods reach maturity
and widespread acceptance, the overall state of software security can
be viewed through the lens of public reports.

==============================
===== Summary of Results =====
==============================

1) The total number of publicly reported web application
   vulnerabilities has risen sharply, to the point where they have
   overtaken buffer overflows.  This is probably due to ease of
   detection and exploitation of web vulnerabilities, combined with
   the proliferation of low-grade software applications.  In 2005 and
   2006, cross-site scripting (XSS) was number 1, and SQL injection
   was number 2.  PHP remote file inclusion is number 3 in 2006;
   because it allows arbitrary code execution on a vulnerable server,
   this is a worrisome trend, although proper configuration is
   frequently enough to eliminate it.

2) Buffer overflows are still the number 1 issue as reported in
   operating system (OS) vendor advisories.  XSS is still high in this
   category, at number 2 in 2005 and number 3 in 2006, although other
   web application vulnerabilities appear much less frequently.

3) Integer overflows, barely in the top 10 overall in the past few
   years, are in the top 3 for OS vendor advisories.  This might
   indicate expert researcher interest in high-profile software.

4) There are noticeable differences in the types of vulnerabilities
   being reported in open and closed source OS vendor advisories.
   These merit further investigation because they might reflect
   important differences in development, research, and disclosure
   practices.

5) The data is inconclusive regarding whether there is a concrete
   improvement in overall software security.  While there is a rise in
   "new" vulnerability classes, the raw numbers for older classes have
   not changed significantly.  Further investigation is also required
   in this area.


=====================
===== Data Sets =====
=====================

Three main data sets were used in this analysis.

OVERALL: this data set consists of all CVEs that were first publicly
reported in 2001 or later (earlier CVEs do not have the appropriate
fields filled out.)  CVE includes all types of software, whether from
a major vendor or an individual hobbyist programmer, as long as the
associated vulnerability has been reported by the developer or posted
by a researcher or third party to sources such as mailing lists and
vulnerability databases.  CVE only includes distributable software,
i.e., it does not include issues that are reported for custom software
in specific web sites.  While CVE data is incomplete, it is estimated
that it is 80% complete relative to all major mailing lists and
vulnerability databases, with the likely exception of data from 2003.

OS VENDOR: this data set identifies CVEs that are associated with
operating system (OS) vendor advisories, which would capture
vulnerabilities in the kernel, as well as applications that are
supported by the OS vendor.  The data was limited to CVEs that have
one or more references from the following sources.  For open source OS
vendors, the following sources were used: DEBIAN, FREEBSD,
MANDRAKE/MANDRIVA, NETBSD, OPENBSD, REDHAT, and SUSE.  The closed
source OS vendors included: AIXAPAR, APPLE, CISCO, HP, MS, MSKB, SCO,
SGI, SUN, and SUNALERT.  CVE does not have the internal data fields to
support more fine-grained analysis for major non-OS vendors.

OPEN/CLOSED SOURCE: open and closed source operating system (OS)
vendors were using the same methods and categories as described in the
"OS VENDOR" section.  Because some closed source vendors such as Apple
have significant codebase overlap with open source products, any
overlapping CVEs were removed from the data set.  Both open and closed
sets had at least 1700 vulnerabilities.

In each data set, vulnerabilities were not removed if they were marked
as "disputed."  Many disputes are incorrect or unresolved.

=================================
===== Trend Table Color Key =====
=================================

In the HTML pages, the following color key is used for trend tables.

GRAY: used in comparisons to help visually separate one data set from
another

RED: a top 10 for that year

GREEN: during that year, the vulnerability's rank was at least 5
points BELOW the average rank for that vulnerability

YELLOW: during that year, the vulnerability's rank was at least 5
points ABOVE the average rank for that vulnerability

So, green on the left indicates vulns with RISING popularity, as will
yellow on the right.  Green on the right indicates vulns with FALLING
popularity, as will yellow on the left.


============================================
===== Table 1 Analysis: Overall Trends =====
============================================

The most notable trend is the sharp rise in public reports for
vulnerabilities that are specific to web applications.

Buffer overflows were number 1 year after year, but that changed in
2005 with the rise of web application vulnerabilities, including
cross-site scripting (XSS), SQL injection, and remote file inclusion,
although SQL injection is not limited just to web applications.  In
fact, so far in 2006, buffer overflows are only #4.

There are probably several contributing factors to this increase in
web vulnerabilities:

1) The most basic data manipulations for these vulnerabilities are
   very simple to perform, e.g., "'" for SQL injection and
   "<script>alert('hi')</script>" for XSS.  This makes it easy for
   beginning researchers to quickly test large amounts of software.

2) There is a plethora of freely available web applications.  Much of
   the code is alpha or beta, written by inexperienced programmers
   with easy-to-learn languages such as PHP, and distributed on
   high-traffic sites.  The applications might have a small or
   non-existent user base.  Such software is often rife with
   easy-to-find vulnerabilities, and it is often a target for
   beginning researchers.  The large number of these
   "fish-in-a-barrel" applications is probably a major contributor to
   the overall trends.

3) With XSS, every input has the potential to be an attack vector,
   which does not occur with other vulnerability types.  This leaves
   more opportunity for a single mistake to occur in a program that
   otherwise protects against XSS.  SQL injection also has many
   potential attack vectors.

4) Despite popular opinion that XSS is easily prevented, it has many
   subtleties and variants.  Even solid applications can have flaws in
   them; consider non-standard browser behaviors that try to "fix"
   malformed HTML, which might slip by a filter that uses regular
   expressions.  Finally, until early 2006, the PHP interpreter had a
   vulnerability in which it did not quote error messages, but many
   researchers only reported the surface-level "resultant" XSS instead
   of figuring out whether there was a different "primary"
   vulnerability that led to the error.

5) There is some evidence that over the past couple of years, web
   defacers have taken an interest in performing and publishing their
   own research.  This is probably due to the ease of finding
   vulnerabilities, combined with the presence of high-risk problems
   such as PHP file inclusion, which can be used to remotely install
   powerful, easily-available backdoor code.  Based on customer posts
   to numerous vendor forums, there is solid evidence that remote file
   inclusion is regularly used to compromise web servers, which also
   helps to explain its popularity.


Overall Trends: Other Interesting Results
-----------------------------------------

1) For 2006, the top 5 vulnerability types are responsible for 57% of
   all CVEs.  With over 35 vulnerability types used in this report,
   and dozens more as currently identified in CWE, this shows how most
   public reports concentrate only on a handful of vulnerability
   types.

2) PHP remote file inclusion (php-include) has been steadily gaining
   ground since 2001, enough so that it is number 3 at this point in
   2006.  See items (2) and (5) from the previous section for a
   possible explanation.

3) Over the years, there has been a noticeable decline in shell
   metacharacters, symbolic link following, and directory traversal.
   It is unclear whether software is actually improving with respect
   to these problems, or if they are not investigated as frequently.

4) Information leaks (infoleak) appear regularly.  There are 2 main
   reasons for the prominence: "information leak" is a more general
   class than others (see CWE for more precise sub-categories), and
   when an error message includes a full path, that is usually
   categorized as an information leak, although it might be resultant
   from a separate primary vulnerability.

5) The inability to handle malformed inputs (dos-malform), which
   usually leads to a crash or hang, is also a general class.
   Malformed-input vulnerabilities have not been studied as closely as
   injection vulnerabilities, at least with respect to identifying the
   root cause of the problem.  Also, many reports do not specify how
   an input is malformed.  There are likely many cases in which a
   researcher accidentally triggers a more serious vulnerability but
   does not perform sufficient diagnosis to determine the primary
   issue.  Finally, vendor reports might only identify an issue as
   being related to "malformed input," which obscures the primary
   cause.

6) As the percentage of buffer overflows has declined, there has been
   an increase in related vulnerability types, including integer
   overflows (int-overflow), signedness errors, and double frees
   (double-free).  These are still very low-percentage, probably due
   to their relative newness and difficulty of detection compared to
   classic overflows.  In addition, these newly emerging vulnerability
   types might be labeled as buffer overflows, since they often lead
   to buffer overflows, and the "buffer overflow" term is used
   interchangeably for attack, cause, and effect.

7) Other interesting web application vulnerabilities are webroot
   (storage of sensitive files under the web document root),
   form-field (web parameter tampering), upload of files with
   executable extensions (e.g., file.php.gif), eval injection, and
   Cross-Site Request Forgery (CSRF).


==================================================
===== Table 2 and 3 Analysis: OS vs. non-OS ======
==================================================

Given the increase in web application vulnerabilities and the
likelihood that it is partially due to researcher interest in software
with small user bases, an analysis was performed based solely on
advisories from operating system (OS) vendors.  These advisories
frequently include the OS kernel and key applications that are
supported by the vendor.  See the Data Sets section for more
information.  Unfortunately, more precise data sets could not be
generated.

Table 2 provides the data for OS vendor advisories alone.  Table 3
contrasts the OS vendor advisories with all other reported issues.

There are several notable results:

1) Integer overflows are heavily represented in OS vendor advisories,
   rising to number 2 so far in 2006, even though they represent a
   small percentage of vulnerabilities overall.  This probably
   reflects growing interest by expert researchers in finding integer
   overflows, along with the tendency of expert researchers to
   evaluate widely deployed software.  The affected software ranges
   widely, including the kernel, cryptographic modules, and multimedia
   file processors such as image viewers and music players.  After
   2004, many of the reported issues occur in libraries or common
   DLLs.

2) Buffer overflows are still #1.  This is probably due to
   under-representation of web applications in OS advisories, relative
   to other CVEs.  In addition, as related issues like integer
   overflows increase, they might be detected or reported as buffer
   overflows, since buffer overflows are frequently resultant from
   integer overflows.

3) XSS is still very common, even in OS advisories, and it appears
   with the same frequency as integer overflows in 2006.  An informal
   analysis shows that the affected software includes web servers, web
   browsers, email clients, administrative interfaces, and Wiki/CMS.

4) With the exception of XSS, there is a wide gulf between web-related
   vulnerabilities in OS advisories and other issues.  SQL injection
   is not even in the top 10 for OS advisories, and PHP remote file
   inclusion is practially nonexistent.  Many other web-related
   vulnerabilities occupy the bottom of the chart.  For SQL injection,
   it is possible that most OS-supported applications do not use
   databases, or aren't web accessible.  SQL injection vulnerabilities
   are not web-specific, but it seems that they are rarely reported
   for non-web applications, so it is possible that this reflects some
   researcher bias.

5) Directory traversal and format string vulnerabilities are
   frequently reported at a higher rate in OS vendor advisories than
   elsewhere.  The reason is unclear, because these vulnerabilities
   are not restricted to local attack vectors, so one might expect
   that they would also appear regularly in web applications.
   However, it is likely that researchers do not focus on format
   strings because they are rarely exploitable for code execution in
   languages other than C.  In the case of PHP, many PHP functions are
   subject to both remote file inclusion and directory traversal, and
   it might be that only the file inclusion is publicly reported.  (In
   fact, the overlap is so close that this sometimes causes
   difficulties with classification).

6) In 2006 so far, more than a quarter (27%) of the OS vendor
   advisories did not have sufficient details to actually classify the
   vulnerability (type "unk").  This is in sharp contrast to the
   non-OS issues, which comprise less than 8%.  However, because of
   the data sets in question, the non-OS CVEs will include many
   non-coordinated disclosures that would, by their nature, require
   more details.  The next table will demonstrate that it is not just
   closed source vendor advisories that omit sufficient details for
   vulnerability classification.

7) The "top 5" and "top 10" vulnerabilities in each year are a much
   smaller percentage of total vulnerabilities in OS vendor advisories
   than non-OS issues.  For example, in 2005, the top 5 totaled 29.4%
   for OS issues, but 55% for non-OS.  For OS issues, this suggests an
   increasing diversity in the kinds of vulnerabilities being
   reported, whereas for other issues, that diversity appears to be
   decreasing.  However, this could be another reflection of the
   domination of web application vulnerabilities.



====================================================
===== Table 4 Analysis: Open and Closed Source =====
====================================================

Table 4 compares the vulnerability type distribution between the open
source and closed source operating system (OS) vendors.  See the "Data
Sets" section for more information on how the data sets were
generated.  As a reminder, CVEs that overlapped both open and closed
source sets were omitted.

IMPORTANT: it is inappropriate to use these results to compare the
relative security of open and closed source products, so the report
excludes raw numbers.  Both sets had at least 1700 vulnerabilities.
There are too many variations in vendor advisory release policies,
possible differences in research techniques, and other factors cited
in [2].  And, simply put, there is too much potential for raw numbers
to be misused and misinterpreted.

However, some results pose interesting questions that merit more
in-depth investigation.  These discrepancies might reflect differences
in vulnerability research techniques, researcher sub-communities,
vendor disclosure policies, and development practices and APIs, but
this has not been proven.

The research and vendor communities are encouraged to investigate the
underlying causes for these differences, which could provide lessons
learned for all software developers, open and closed source alike.

Some of the most notable results are:

1) The percentage of "unknown" vulnerabilities - those that could not
   be classified due to lack of details - is significantly higher in
   closed source than open source advisories, and 45% so far for 2006.
   With such a wide discrepancy, it is difficult to know whether any
   of the remaining results in this section are significant.  It
   should be noted that 10% of issues in open source advisories do not
   have enough details to classify the problem.

2) Buffer overflows are number 1 for both open and closed, with
   roughly the same percentage over the years.

3) Symbolic link vulnerabilities appear at a higher rate in open
   source than closed source, although this might be due to the
   non-Unix OSes in the data set.  While Windows has "shortcuts"
   (.LNK) that are similar to Unix links, they appear very rarely in
   Microsoft advisories, or for Windows-based applications.  It is not
   clear whether this is due to under-research or API/development
   differences.  The author recalls that at least one Linux researcher
   appeared to concentrate on symbolic link issues in 2004 and 2005,
   so researcher bias might also be a factor.

4) Malformed-input vulnerabilities appear more frequently in closed
   source advisories than open source.  This might be due to a lack of
   details in closed source advisories.  If an advisory mentions a
   problem due to "malformed data," it might be assigned the
   dos-malform type.  Another factor might be due to black box
   techniques.  It seems likely that fuzzers and other tools would be
   used more frequently against closed source products than open
   source, but this is not known.

5) XSS vulnerabilities appear more frequently in open source
   advisories than closed, but this might be a reflection of vendor
   release policies for advisories.  It seems that open source vendors
   are more likely to release advisories for smaller packages.

6) Format string vulnerabilities appear more frequently in open
   source.  There are probably several factors.  First, susceptible
   API library calls such as printf() are easily found in source code
   using crude methods, whereas binary reverse engineering techniques
   are not conducted by many researchers (this might also be an
   explanation for symbolic link issues).  Second, many format string
   problems seem to occur in rarely-triggered error conditions, which
   makes them more difficult to test with black box methods.

   Perhaps most surprising: it appears that, since 2003, the non-Unix
   closed source advisories have not mentioned any format strings.  It
   is not clear why there would be such a radical difference, although
   it could be due to the lack of details in those advisories.

7) Integer overflows have been roughly the same rank for open and
   closed source.  This is a curious similarity, since one might not
   expect open and closed source analysis techniques to be equally
   capable in finding these problems.

8) Another interesting example is in the use of default passwords.
   Over the years, very few open source vendor advisories have
   mentioned default passwords, whereas they appear with some
   regularity in closed source advisories.  It is not clear whether
   this is a difference in shipping/configuration practices or vendor
   disclosure policies.

9) Shell metacharacter issues appear less frequently in non-Unix
   closed source than other closed source advisories.  This result was
   found by a separate analysis; it is not evident in Table 4.  This
   could be due to usage patterns of API functions such as
   CreateProcess() for Windows, and system() for Unix.  This result is
   being reported because it is the most concrete example of how API
   functions might play a role in implementation-level
   vulnerabilities.


================================
===== Possible Future Work =====
================================

1) The vulnerability types could be tied to other CVE-normalized data,
   such as IDS, incident databases, or vulnerability scanning results.
   This could determine the types of vulnerabilities that are being
   actively exploited or detected in real-world enterprises.

2) More precise classification could be informative.  Approximately
   30% of CVEs have vulnerability types that cannot be described using
   the current classification scheme.  Another 15% are "unknown"
   vulnerabilities whose disclosures do not have sufficient details to
   determine any vulnerability type, but this problem is unavoidable,
   since some vendors do not release these details.

3) A crude measure of researcher diversity might be possible by
   linking data to other vulnerability databases that record this
   information.  This could be used to determine if the raw number of
   researchers is increasing (probably), how that rate is increasing
   relative to the number of vulnerabilities (unknown), and how many
   different bug types are found by the average researcher (probably
   fairly small).  If such data is available, then a further breakdown
   could be performed based on professional researchers versus others.

4) More precise data sets could be identified, such as a cross-section
   of market leaders in various product categories, not just OS vendor
   advisories.  CVE does not record this type of information.

===================================
===== Notes on Potential Bias =====
===================================

The diversity of both researchers and vendor disclosure practices
introduces several unmeasurable biases, as described in more detail in
[2].

In the overall results, 2003's issues have 20% with vulnerabilities
that are "not specified" by the CVE analyst, which is inconsistent
with statistics from other years.  Many of these vulnerabilities were
reviewed after this discovery, and they are in fact of type "other."
This discrepancy has not been sufficiently explained, although it is
probably at least partially due to the relative percentage of CVEs in
OS vendor advisories to other CVEs, since 2003 was a low-output year
for CVE and thus the concentration was in high-priority software.

Some vulnerability types are probably under-represented due to
classification difficulty.  For example, the "form-field" type (web
parameter tampering) might occasionally get classified as an
authentication error, depending on how the original researcher reports
the issue.


==========================================
===== (In)Frequently Asked Questions =====
==========================================

1) Why aren't you giving out raw numbers for open vs. closed source?

   Answer: we already said why.  See paragraph 2 of the Table 4
   analysis for a reminder.

2) Why are you releasing this report now, with incomplete 2006 data?

   Answer: when MITRE mentioned the preliminary results at the Cyber
   Security Executive Summit on September 13, there was a lot more
   interest than we had originally anticipated.  Subsequent discussion
   of the results might help us to provide a better report when 2006
   is done.

3) How does this compare with the other summaries you've posted in the
   past?  Why have the numbers and percentages changed for older
   years?

   Answer: (1) we occasionally add CVEs for older issues, (2) some of
   the previously released summaries were cumulative instead of
   offering a year-by-year breakdown, and (3) eventually, as a new
   type of vulnerability is reported more frequently, the CVE project
   notices it enough to give it a name, or at least a type.  Once we
   do that, we can go back and update the older CVEs that also had the
   issue.  However, we often rely on keyword searches in CVE
   descriptions for doing these kinds of updates.  The earliest
   reports of new vulnerability types probably don't get captured
   fully, because CVE descriptions frequently vary in the early days
   or months of a new vulnerability type.  Most updates to these
   vulnerability trends trigger an informal review of the "other"
   vulnerabilities for the data set in order to update the type
   fields.

4) There are a lot more vulnerability types than what you've covered.

   Answer: That's an observation, not a question.  If a certain
   vulnerability type is not on the list, then it probably didn't
   appear frequently enough for the CVE project to track closely.
   There are several reasons: (1) the vulnerability type is selected
   from a large dropdown menu during CVE refinement, but also (2) our
   work in the Common Weakness Enumeration (CWE) is producing hundreds
   of vuln types, and we want that to become a little more stable
   before doing the next round of modifications to CVE data.  Finally,
   (3) with approximately 3,500 vulnerabilities marked "other" or "not
   specified", it is cost-prohibitive to review each CVE when the set
   of categories is updated.

5) Why isn't my favorite web vulnerability here?

   Answer: Many web vulnerabilities are difficult to classify because
   they are "multi-factor," i.e., they are composed of multiple bugs,
   weaknesses, and/or design limitations.  Other web issues are really
   just specialized attacks that use other primary vulnerabilities.
   For example, most HTTP response splitting problems rely on CRLF
   injection, so they are classified under CRLF injection.


===================
===== Credits =====
===================

Large-scale trend analyses like this are not possible without the body
of knowledge that has been formed by hundreds or thousands of
researchers, from hobbyists to professionals.

Thanks to the following for substantive feedback on the initial draft,
sometimes in the form of a question that required more investigation:
Bill Heinbockel, Chris Wysopal, and Mark Curphey.


======================
===== References =====
======================

[1] CWE, http://cwe.mitre.org

[2] "Open Letter on the Interpretation of 'Vulnerability Statistics'"
    Bugtraq, Full-Disclosure
        January 5, 2006
    http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041028.html


============================
===== Flaw Terminology =====
============================

Type: auth
CWE: CWE-289, CWE-288, CWE-302, CWE-305, CWE-294, CWE-290, CWE-287, CWE-303
Description:
Weak/bad authentication problem

Type: buf
CWE: CWE-119, CWE-120, others
Description:
Buffer overflow

Type: CF
CWE: none
Description:
General configuration problem, not perm or default

Type: crlf
CWE: CWE-93
Description:
CRLF injection

Type: crypt
CWE: CWE-310, CWE-311, CWE-347, CWE-320, CWE-325
Description:
Cryptographic error (poor design or implementation), including
plaintext storage/transmission of sensitive information.

Type: CSRF
CWE: CWE-352
Description:
Cross-Site Request Forgery (CSRF)

Type: default
CWE: N/A
Description:
Insecure default configuration, e.g., passwords or permissions

Type: design
CWE: none
Description:
Design problem, generally in protocols or programming languages.
Since 2005, its use has been limited due to the highly general nature
of this type.

Type: dos-flood
CWE: CWE-400
Description:
DoS caused by flooding with a large number of *legitimately formatted*
requests/etc.; normally DoS is a crash, or spending a lot more time on
a task than it "should"

Type: dos-malform
CWE: CWE-238, CWE-234, CWE-166, CWE-230, many others
Description:
DoS caused by malformed input

Type: dos-release
CWE: CWE-404
Description:
DoS because system does not properly release resources

Type: dot
CWE: CWE-22, CWE-23, CWE-36
Description:
Directory traversal (file access via ".." or variants)

Type: double-free
CWE: CWE-415
Description:
Double-free vulnerability

Type: eval-inject
CWE: CWE-95
Description:
Eval injection

Type: form-field
CWE: CWE-472
Description:
CGI program inherently trusts form field that should not be modified
(i.e., should be stored locally)

Type: format-string
CWE: CWE-134
Description:
Format string vulnerability; user can inject format specifiers during
string processing.

Type: infoleak
CWE: CWE-205, CWE-212, CWE-203, CWE-209, CWE-207, CWE-200, CWE-215, others
Description:
Information leak by a product, which is not the result of another
vulnerability; typically by design or by producing different "answers"
that suggest the state; often related to configuration / permissions
or error reporting/handling.

Type: int-overflow
CWE: CWE-190
Description:
A numeric value can be incremented to the point where it overflows and
begins at the minimum value, with security implications.  Overlaps
signedness errors.

Type: link
CWE: CWE-61, CWE-64
Description:
Symbolic link following

Type: memleak
CWE: CWE-401
Description:
Memory leak (doesn't free memory when it should); use this instead of
dos-release

Type: metachar
CWE: CWE-78
Description:
Unescaped shell metacharacters or other unquoted "special" char's;
currently includes SQL injection but not XSS.

Type: msdos-device
CWE: CWE-67
Description:
Problem due to file names with MS-DOS device names.

Type: not-specified
CWE: none
Description:
The CVE analyst has not assigned a flaw type to the issue, typically
similar to "other".

Type: other
CWE: none
Description:
Other vulnerability; issue could not be described with an available
type at the time of analysis.

Type: pass
CWE: CWE-259
Description:
Default or hard-coded password

Type: perm
CWE: CWE-276
Description:
Assigns bad permissions, improperly calculates permissions, or
improperly checks permissions

Type: php-include
CWE: CWE-98
Description:
PHP remote file inclusion

Type: priv
CWE: CWE-266, CWE-274, CWE-272, CWE-250, CWE-264, CWE-265, CWE-268, CWE-270, 
CWE-271, CWE-269, CWE-267
Description:
Bad privilege assignment, or privileged process/action is
unprotected/unauthenticated.

Type: race
CWE: CWE-362, CWE-366, CWE-364, CWE-367, CWE-421, CWE-368, CWE-363, CWE-370
Description:
General race condition (NOT SYMBOLIC LINK FOLLOWING (link)!)

Type: rand
CWE: CWE-330, CWE-331, CWE-332, CWE-338, CWE-342, CWE-341, CWE-339, others
Description:
Generation of insufficiently random numbers, typically by using easily
guessable sources of "random" data

Type: relpath
CWE: CWE-426, CWE-428, CWE-114
Description:
Untrusted search path vulnerability - Relies on search paths to find
other executable programs or files, opening up to Trojan horse
attacks, e.g., PATH environment variable in Unix.

Type: sandbox
CWE: CWE-265
Description:
Java/etc. sandbox escape - NOT BY DOT-DOT!

Type: signedness
CWE: CWE-195, CWE-196
Description:
Signedness error; a numeric value in one format/representation is
improperly handled when it is used as if it were another
format/representation.  Overlaps integer overflows and array index
errors.

Type: spoof
CWE: CWE-290, CWE-350, CWE-347, CWE-345, CWE-247, CWE-292, CWE-291
Description:
Product is vulnerable to spoofing attacks, generally by not properly
verifying authenticity.

Type: sql-inject
CWE: CWE-89
Description:
SQL injection vulnerability

Type: type-check
CWE: unknown
Description:
Product incorrectly identifies the type of an input parameter or file,
then dispatches the wrong "executable" (possibly itself) to process
the input, or otherwise misrepresents the input in a security-critical
way.

Type: unk
CWE: none
Description:
Unknown vulnerability; report is too vague to determine type of issue.

Type: upload
CWE: CWE-434
Description:
Product does not restrict the extensions for files that can be
uploaded to the web server, leading to code execution if executable
extensions are used in filenames, such as .asp, .php, and .shtml.

Type: webroot
CWE: CWE-219, CWE-433
Description:
Storage of sensitive data under web document root with insufficient
access control.

Type: XSS
CWE: CWE-79, CWE-80, CWE-87, CWE-85, CWE-82, CWE-81, CWE-83, CWE-84
Description:
Cross-site scripting (aka XSS)



====================================
===== Table 1: Overall Results =====
====================================


                         TOTAL        2001        2002        2003        2004  
      2005        2006
                        (16192)      (1434)      (2138)      (1173)      (2534) 
     (4538)      (4375)
                      ----------  ----------  ----------  ----------  
----------  ----------  ----------
[ 1] XSS              13.9% ( 1)  02.2% (11)  08.7% ( 2)  07.5% ( 2)  10.9% ( 
2)  16.0% ( 1)  21.5% ( 1)
                      2247        32          187         88          276       
  725         939
[ 2] buf              13.3% ( 2)  19.5% ( 1)  20.3% ( 1)  22.5% ( 1)  15.4% ( 
1)  09.8% ( 3)  07.9% ( 4)
                      2156        279         433         264         391       
  445         344
[ 3] sql-inject       08.7% ( 3)  00.4% (27)  01.8% (12)  03.0% ( 4)  05.5% ( 
3)  12.9% ( 2)  14.0% ( 2)
                      1416        6           38          35          140       
  584         613
[ 4] dot              04.7% ( 4)  08.9% ( 2)  05.1% ( 3)  02.9% ( 5)  04.1% ( 
4)  04.3% ( 4)  04.4% ( 5)
                      764         127         110         34          104       
  195         194
[ 5] php-include      03.5% ( 5)  00.1% (31)  00.3% (30)  00.8% (15)  01.4% 
(10)  02.1% ( 6)  09.5% ( 3)
                      561         1           6           9           36        
  95          414
[ 6] infoleak         03.3% ( 6)  02.6% ( 9)  04.2% ( 5)  02.6% ( 7)  03.7% ( 
5)  03.9% ( 5)  02.6% ( 6)
                      540         37          89          30          95        
  175         114
[ 7] dos-malform      02.9% ( 7)  04.8% ( 3)  05.1% ( 4)  02.5% ( 8)  03.4% ( 
6)  01.8% ( 8)  02.0% ( 7)
                      463         69          110         29          87        
  82          86
[ 8] link             02.0% ( 8)  04.5% ( 4)  02.1% ( 9)  03.5% ( 3)  02.8% ( 
7)  01.9% ( 7)  00.5% (16)
                      329         64          45          41          72        
  87          20
[ 9] format-string    01.8% ( 9)  03.2% ( 7)  01.8% (11)  02.7% ( 6)  02.4% ( 
8)  01.7% ( 9)  01.0% (10)
                      296         46          39          32          61        
  76          42
[10] crypt            01.6% (10)  03.8% ( 6)  02.7% ( 6)  01.5% ( 9)  00.9% 
(16)  01.5% (10)  00.9% (11)
                      261         55          58          18          22        
  68          40
[11] priv             01.4% (11)  02.5% (10)  02.2% ( 8)  01.0% (12)  01.3% 
(11)  01.5% (11)  00.9% (12)
                      233         36          46          12          32        
  67          40
[12] metachar         01.3% (12)  03.8% ( 5)  02.6% ( 7)  00.7% (17)  01.0% 
(14)  01.3% (12)  00.3% (20)
                      218         55          56          8           26        
  59          14
[13] perm             01.3% (13)  02.7% ( 8)  01.8% (10)  01.3% (11)  00.9% 
(15)  01.1% (13)  01.1% ( 9)
                      215         39          39          15          24        
  48          50
[14] int-overflow     01.0% (14)  00.1% (32)  00.4% (22)  01.4% (10)  01.9% ( 
9)  00.8% (15)  01.2% ( 8)
                      160         1           8           16          47        
  36          52
[15] dos-flood        00.8% (15)  02.0% (12)  01.7% (13)  00.5% (19)  01.2% 
(12)  00.2% (27)  00.4% (17)
                      131         29          36          6           31        
  10          19
[16] pass             00.8% (16)  01.1% (18)  01.3% (14)  00.2% (28)  01.1% 
(13)  00.8% (14)  00.4% (18)
                      125         16          27          2           28        
  36          16
[17] auth             00.8% (17)  01.5% (13)  01.3% (15)  00.5% (20)  00.7% 
(17)  00.5% (19)  00.7% (14)
                      124         22          27          6           17        
  21          31
[18] webroot          00.5% (18)  00.1% (29)  00.2% (32)  00.3% (24)  00.2% 
(30)  00.7% (16)  00.9% (13)
                      88          2           5           3           5         
  33          40
[19] form-field       00.5% (19)  00.7% (24)  00.8% (17)  00.5% (21)  00.2% 
(27)  00.4% (20)  00.5% (15)
                      81          10          17          6           6         
  19          23
[20] relpath          00.4% (20)  00.8% (22)  00.3% (29)  00.9% (14)  00.6% 
(18)  00.3% (22)  00.3% (21)
                      71          12          6           10          14        
  15          14
[21] race             00.4% (21)  00.5% (26)  00.4% (24)  00.6% (18)  00.4% 
(21)  00.6% (17)  00.3% (24)
                      69          7           8           7           10        
  26          11
[22] memleak          00.4% (22)  01.1% (17)  00.2% (31)  00.4% (22)  00.5% 
(19)  00.3% (23)  00.2% (27)
                      61          16          5           5           13        
  15          7
[23] msdos-device     00.4% (23)  01.0% (20)  00.6% (19)  00.9% (13)  00.2% 
(23)  00.2% (28)  00.0% (32)
                      57          15          13          11          6         
  10          2
[24] crlf             00.3% (24)  00.0%  N/A  00.2% (33)  00.1% (30)  00.5% 
(20)  00.4% (21)  00.3% (19)
                      49          0           4           1           13        
  17          14
[25] default          00.3% (26)  01.1% (16)  00.7% (18)  00.1% (33)  00.2% 
(26)  00.1% (33)  00.1% (29)
                      48          16          16          1           6         
  3           6
[26] spoof            00.3% (25)  01.0% (19)  00.3% (28)  00.1% (32)  00.1% 
(33)  00.2% (26)  00.3% (25)
                      48          15          7           1           3         
  11          11
[27] sandbox          00.3% (27)  01.2% (15)  01.0% (16)  00.0%  N/A  00.2% 
(29)  00.0% (34)  00.0%  N/A
                      46          17          22          0           5         
  2           0
[28] rand             00.3% (28)  01.2% (14)  00.6% (20)  00.3% (25)  00.2% 
(32)  00.0% (35)  00.2% (26)
                      45          17          12          3           4         
  2           7
[29] upload           00.3% (29)  00.0%  N/A  00.0% (36)  00.1% (29)  00.2% 
(24)  00.5% (18)  00.3% (22)
                      43          0           1           1           6         
  22          13
[30] signedness       00.2% (30)  00.1% (30)  00.4% (23)  00.8% (16)  00.2% 
(25)  00.3% (24)  00.0% (34)
                      38          1           8           9           6         
  12          2
[31] dos-release      00.2% (31)  00.9% (21)  00.5% (21)  00.2% (27)  00.2% 
(31)  00.0%  N/A  00.0%  N/A
                      30          13          10          2           5         
  0           0
[32] CF               00.2% (32)  00.7% (23)  00.3% (27)  00.2% (26)  00.0%  
N/A  00.1% (31)  00.1% (28)
                      29          10          7           2           0         
  4           6
[33] eval-inject      00.2% (33)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0% 
(34)  00.2% (25)  00.3% (23)
                      25          0           0           0           1         
  11          13
[34] design           00.1% (34)  00.6% (25)  00.4% (26)  00.1% (31)  00.0% 
(35)  00.1% (32)  00.0% (31)
                      23          8           8           1           1         
  3           2
[35] double-free      00.1% (35)  00.0%  N/A  00.1% (34)  00.3% (23)  00.2% 
(22)  00.1% (30)  00.1% (30)
                      21          0           2           4           6         
  5           4
[36] CSRF             00.1% (37)  00.0%  N/A  00.0% (35)  00.0%  N/A  00.2% 
(28)  00.2% (29)  00.0% (33)
                      16          0           1           0           5         
  8           2
[37] type-check       00.1% (36)  00.4% (28)  00.4% (25)  00.0%  N/A  00.0%  
N/A  00.0% (36)  00.0% (35)
                      16          6           8           0           0         
  1           1
-------------------------
UNKNOWN/UNSPECIFIED ITEMS
-------------------------
n/a  unk              09.0%  N/A  07.9%  N/A  07.1%  N/A  07.0%  N/A  08.2%  
N/A  08.9%  N/A  11.5%  N/A
                      1460        114         151         82          209       
  402         502
n/a  other            15.2%  N/A  16.7%  N/A  19.0%  N/A  11.8%  N/A  17.2%  
N/A  13.1%  N/A  14.9%  N/A
                      2468        239         407         139         435       
  595         653
n/a  not-specified    06.9%  N/A  00.1%  N/A  03.1%  N/A  20.5%  N/A  11.3%  
N/A  11.3%  N/A  00.3%  N/A
                      1121        2           66          240         286       
  513         14



===============================
===== Table 2: OS Vendors =====
===============================


                         TOTAL        2001        2002        2003        2004  
      2005        2006
                        (4418)      ( 443)      ( 660)      ( 527)      ( 736)  
    (1199)      ( 853)
                      ----------  ----------  ----------  ----------  
----------  ----------  ----------
[ 1] buf              20.0% ( 1)  21.0% ( 1)  26.8% ( 1)  24.9% ( 1)  20.4% ( 
1)  16.2% ( 1)  16.1% ( 1)
                      882         93          177         131         150       
  194         137
[ 2] link             04.0% ( 2)  07.4% ( 2)  03.3% ( 4)  04.0% ( 2)  05.2% ( 
2)  04.0% ( 3)  01.8% ( 5)
                      177         33          22          21          38        
  48          15
[ 3] dos-malform      03.7% ( 3)  05.6% ( 3)  06.1% ( 2)  02.7% ( 4)  04.5% ( 
4)  01.8% ( 7)  03.3% ( 4)
                      162         25          40          14          33        
  22          28
[ 4] XSS              03.4% ( 4)  01.6% (12)  04.4% ( 3)  03.0% ( 3)  01.4% ( 
7)  04.2% ( 2)  04.7% ( 3)
                      152         7           29          16          10        
  50          40
[ 5] int-overflow     02.7% ( 5)  00.0%  N/A  01.2% (12)  02.3% ( 6)  04.6% ( 
3)  02.1% ( 6)  04.7% ( 2)
                      119         0           8           12          34        
  25          40
[ 6] format-string    02.4% ( 6)  05.2% ( 4)  01.5% (10)  02.3% ( 5)  02.6% ( 
5)  02.4% ( 5)  01.6% ( 7)
                      107         23          10          12          19        
  29          14
[ 7] priv             02.0% ( 7)  04.1% ( 5)  02.3% ( 6)  00.8% (13)  00.8% 
(14)  02.6% ( 4)  01.6% ( 6)
                      88          18          15          4           6         
  31          14
[ 8] perm             01.8% ( 8)  04.1% ( 6)  02.1% ( 7)  01.1% (11)  01.1% 
(10)  01.7% ( 8)  01.4% ( 9)
                      78          18          14          6           8         
  20          12
[ 9] dot              01.4% ( 9)  01.6% (13)  01.5% ( 9)  01.1% ( 8)  01.6% ( 
6)  01.3% (12)  01.6% ( 8)
                      64          7           10          6           12        
  15          14
[10] metachar         01.2% (10)  02.0% ( 9)  02.6% ( 5)  00.8% (16)  00.7% 
(17)  01.3% (11)  00.4% (19)
                      53          9           17          4           5         
  15          3
[11] infoleak         01.2% (11)  00.9% (20)  01.2% (13)  01.1% ( 9)  01.1% ( 
9)  01.3% (10)  01.2% (10)
                      52          4           8           6           8         
  16          10
[12] race             01.0% (12)  01.1% (17)  00.9% (15)  00.4% (19)  01.0% 
(11)  01.6% ( 9)  00.7% (13)
                      45          5           6           2           7         
  19          6
[13] memleak          00.8% (13)  02.0% (10)  00.6% (19)  00.8% (14)  01.0% 
(12)  00.9% (14)  00.2% (23)
                      37          9           4           4           7         
  11          2
[14] sql-inject       00.8% (14)  00.2% (27)  00.6% (21)  01.1% (10)  00.7% 
(16)  00.9% (13)  00.9% (11)
                      35          1           4           6           5         
  11          8
[15] crypt            00.8% (15)  01.6% (14)  01.4% (11)  01.1% ( 7)  00.4% 
(18)  00.4% (18)  00.5% (16)
                      34          7           9           6           3         
  5           4
[16] sandbox          00.7% (16)  02.7% ( 7)  02.1% ( 8)  00.0%  N/A  00.1% 
(23)  00.2% (28)  00.0%  N/A
                      29          12          14          0           1         
  2           0
[17] relpath          00.6% (18)  01.6% (11)  00.3% (28)  00.4% (18)  01.1% ( 
8)  00.3% (27)  00.7% (14)
                      28          7           2           2           8         
  3           6
[18] dos-flood        00.6% (17)  02.5% ( 8)  00.6% (20)  00.2% (22)  00.3% 
(20)  00.3% (25)  00.8% (12)
                      28          11          4           1           2         
  3           7
[19] auth             00.5% (20)  01.4% (15)  01.1% (14)  00.6% (17)  00.3% 
(21)  00.3% (21)  00.2% (24)
                      24          6           7           3           2         
  4           2
[20] signedness       00.5% (19)  00.2% (24)  00.9% (16)  00.9% (12)  00.4% 
(19)  00.6% (15)  00.2% (25)
                      24          1           6           5           3         
  7           2
[21] pass             00.5% (21)  00.2% (25)  00.8% (17)  00.2% (20)  00.8% 
(15)  00.3% (24)  00.5% (15)
                      21          1           5           1           6         
  4           4
[22] double-free      00.4% (22)  00.0%  N/A  00.3% (29)  00.8% (15)  00.8% 
(13)  00.3% (20)  00.4% (18)
                      19          0           2           4           6         
  4           3
[23] rand             00.3% (23)  01.4% (16)  00.5% (22)  00.2% (27)  00.1% 
(24)  00.0%  N/A  00.2% (27)
                      13          6           3           1           1         
  0           2
[24] crlf             00.2% (25)  00.0%  N/A  00.5% (23)  00.2% (25)  00.0%  
N/A  00.4% (17)  00.2% (20)
                      11          0           3           1           0         
  5           2
[25] spoof            00.2% (24)  00.2% (26)  00.3% (26)  00.0%  N/A  00.0%  
N/A  00.3% (23)  00.5% (17)
                      11          1           2           0           0         
  4           4
[26] form-field       00.2% (26)  00.5% (22)  00.3% (27)  00.2% (21)  00.0%  
N/A  00.4% (16)  00.0%  N/A
                      10          2           2           1           0         
  5           0
[27] default          00.2% (27)  00.2% (28)  00.5% (24)  00.0%  N/A  00.1% 
(22)  00.3% (26)  00.2% (21)
                      10          1           3           0           1         
  3           2
[28] type-check       00.2% (28)  00.7% (21)  00.6% (18)  00.0%  N/A  00.0%  
N/A  00.1% (30)  00.0%  N/A
                      8           3           4           0           0         
  1           0
[29] CF               00.2% (29)  00.9% (18)  00.2% (31)  00.2% (26)  00.0%  
N/A  00.0%  N/A  00.1% (29)
                      7           4           1           1           0         
  0           1
[30] dos-release      00.2% (30)  00.9% (19)  00.3% (25)  00.2% (23)  00.0%  
N/A  00.0%  N/A  00.0%  N/A
                      7           4           2           1           0         
  0           0
[31] php-include      00.1% (31)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.3% (19)  00.2% (26)
                      6           0           0           0           0         
  4           2
[32] eval-inject      00.1% (32)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.3% (22)  00.2% (22)
                      6           0           0           0           0         
  4           2
[33] design           00.1% (33)  00.2% (23)  00.3% (30)  00.2% (24)  00.0%  
N/A  00.1% (31)  00.0%  N/A
                      5           1           2           1           0         
  1           0
[34] webroot          00.0% (35)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.0%  N/A  00.1% (28)
                      1           0           0           0           0         
  0           1
[35] upload           00.0% (36)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.1% (32)  00.0%  N/A
                      1           0           0           0           0         
  1           0
[36] CSRF             00.0% (34)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.1% (29)  00.0%  N/A
                      1           0           0           0           0         
  1           0
-------------------------
UNKNOWN/UNSPECIFIED ITEMS
-------------------------
n/a  unk              16.0%  N/A  12.4%  N/A  12.6%  N/A  10.4%  N/A  12.2%  
N/A  16.1%  N/A  27.2%  N/A
                      708         55          83          55          90        
  193         232
n/a  other            16.4%  N/A  15.3%  N/A  15.6%  N/A  12.0%  N/A  12.2%  
N/A  14.4%  N/A  26.6%  N/A
                      724         68          103         63          90        
  173         227
n/a  not-specified    14.3%  N/A  00.2%  N/A  05.9%  N/A  26.0%  N/A  24.6%  
N/A  22.2%  N/A  00.8%  N/A
                      631         1           39          137         181       
  266         7




==========================================
===== Table 3: OS Vendors vs. Others =====
==========================================


                         TOTAL        2001        2002        2003        2004  
      2005        2006
                      ----------  ----------  ----------  ----------  
----------  ----------  ----------
OS-ven                4418         443         660         527         736      
  1199         853
Other                 11774        991        1478         646        1798      
  3339        3522
                      ----------  ----------  ----------  ----------  
----------  ----------  ----------
[ 1] XSS              03.4% ( 4)  01.6% (13)  04.4% ( 3)  03.0% ( 3)  01.4% ( 
7)  04.2% ( 2)  04.7% ( 2)
                      152         7           29          16          10        
  50          40
               ****   17.8% ( 1)  02.5% ( 8)  10.7% ( 2)  11.1% ( 2)  14.8% ( 
1)  20.2% ( 1)  25.5% ( 1)
                      2095        25          158         72          266       
  675         899
[ 2] buf              20.0% ( 1)  21.0% ( 1)  26.8% ( 1)  24.9% ( 1)  20.4% ( 
1)  16.2% ( 1)  16.1% ( 1)
                      882         93          177         131         150       
  194         137
               ****   10.8% ( 3)  18.8% ( 1)  17.3% ( 1)  20.6% ( 1)  13.4% ( 
2)  07.5% ( 3)  05.9% ( 4)
                      1274        186         256         133         241       
  251         207
[ 3] sql-inject       00.8% (14)  00.2% (27)  00.6% (19)  01.1% ( 8)  00.7% 
(16)  00.9% (13)  00.9% (11)
                      35          1           4           6           5         
  11          8
               ****   11.7% ( 2)  00.5% (26)  02.3% ( 8)  04.5% ( 3)  07.5% ( 
3)  17.2% ( 2)  17.2% ( 2)
                      1381        5           34          29          135       
  573         605
[ 4] dot              01.4% ( 9)  01.6% (14)  01.5% ( 9)  01.1% (10)  01.6% ( 
6)  01.3% (11)  01.6% ( 8)
                      64          7           10          6           12        
  15          14
               ****   05.9% ( 4)  12.1% ( 2)  06.8% ( 3)  04.3% ( 4)  05.1% ( 
4)  05.4% ( 4)  05.1% ( 5)
                      700         120         100         28          92        
  180         180
[ 5] php-include      00.1% (32)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.3% (19)  00.2% (27)
                      6           0           0           0           0         
  4           2
               ****   04.7% ( 5)  00.1% (30)  00.4% (22)  01.4% (11)  02.0% ( 
8)  02.7% ( 6)  11.7% ( 3)
                      555         1           6           9           36        
  91          412
[ 6] infoleak         01.2% (11)  00.9% (20)  01.2% (13)  01.1% (11)  01.1% ( 
9)  01.3% (10)  01.2% (10)
                      52          4           8           6           8         
  16          10
               ****   04.1% ( 6)  03.3% ( 6)  05.5% ( 4)  03.7% ( 5)  04.8% ( 
5)  04.8% ( 5)  03.0% ( 6)
                      488         33          81          24          87        
  159         104
[ 7] dos-malform      03.7% ( 3)  05.6% ( 3)  06.1% ( 2)  02.7% ( 4)  04.5% ( 
4)  01.8% ( 7)  03.3% ( 4)
                      162         25          40          14          33        
  22          28
               ****   02.6% ( 7)  04.4% ( 5)  04.7% ( 5)  02.3% ( 8)  03.0% ( 
6)  01.8% ( 8)  01.6% ( 7)
                      301         44          70          15          54        
  60          58
[ 8] link             04.0% ( 2)  07.4% ( 2)  03.3% ( 4)  04.0% ( 2)  05.2% ( 
2)  04.0% ( 3)  01.8% ( 5)
                      177         33          22          21          38        
  48          15
               ****   01.3% (11)  03.1% ( 7)  01.6% (13)  03.1% ( 7)  01.9% ( 
9)  01.2% (11)  00.1% (25)
                      152         31          23          20          34        
  39          5
[ 9] format-string    02.4% ( 6)  05.2% ( 4)  01.5% (10)  02.3% ( 6)  02.6% ( 
5)  02.4% ( 5)  01.6% ( 6)
                      107         23          10          12          19        
  29          14
               ****   01.6% ( 9)  02.3% ( 9)  02.0% (11)  03.1% ( 6)  02.3% ( 
7)  01.4% ( 9)  00.8% (12)
                      189         23          29          20          42        
  47          28
[10] crypt            00.8% (15)  01.6% (12)  01.4% (11)  01.1% ( 9)  00.4% 
(19)  00.4% (16)  00.5% (15)
                      34          7           9           6           3         
  5           4
               ****   01.9% ( 8)  04.8% ( 3)  03.3% ( 6)  01.9% ( 9)  01.1% 
(14)  01.9% ( 7)  01.0% (10)
                      227         48          49          12          19        
  63          36
[11] priv             02.0% ( 7)  04.1% ( 5)  02.3% ( 6)  00.8% (16)  00.8% 
(13)  02.6% ( 4)  01.6% ( 7)
                      88          18          15          4           6         
  31          14
               ****   01.2% (12)  01.8% (12)  02.1% (10)  01.2% (14)  01.4% 
(11)  01.1% (12)  00.7% (13)
                      145         18          31          8           26        
  36          26
[12] metachar         01.2% (10)  02.0% (10)  02.6% ( 5)  00.8% (15)  00.7% 
(17)  01.3% (12)  00.4% (19)
                      53          9           17          4           5         
  15          3
               ****   01.4% (10)  04.6% ( 4)  02.6% ( 7)  00.6% (20)  01.2% 
(13)  01.3% (10)  00.3% (21)
                      165         46          39          4           21        
  44          11
[13] perm             01.8% ( 8)  04.1% ( 6)  02.1% ( 7)  01.1% ( 7)  01.1% 
(10)  01.7% ( 8)  01.4% ( 9)
                      78          18          14          6           8         
  20          12
               ****   01.2% (13)  02.1% (10)  01.7% (12)  01.4% (12)  00.9% 
(15)  00.8% (15)  01.1% ( 9)
                      137         21          25          9           16        
  28          38
[14] int-overflow     02.7% ( 5)  00.0%  N/A  01.2% (12)  02.3% ( 5)  04.6% ( 
3)  02.1% ( 6)  04.7% ( 3)
                      119         0           8           12          34        
  25          40
               ****   00.3% (22)  00.1% (31)  00.0%  N/A  00.6% (18)  00.7% 
(17)  00.3% (21)  00.3% (17)
                      41          1           0           4           13        
  11          12
[15] dos-flood        00.6% (18)  02.5% ( 8)  00.6% (18)  00.2% (27)  00.3% 
(21)  00.3% (26)  00.8% (12)
                      28          11          4           1           2         
  3           7
               ****   00.9% (15)  01.8% (11)  02.2% ( 9)  00.8% (17)  01.6% 
(10)  00.2% (23)  00.3% (18)
                      103         18          32          5           29        
  7           12
[16] pass             00.5% (21)  00.2% (25)  00.8% (17)  00.2% (26)  00.8% 
(15)  00.3% (20)  00.5% (17)
                      21          1           5           1           6         
  4           4
               ****   00.9% (14)  01.5% (16)  01.5% (14)  00.2% (27)  01.2% 
(12)  01.0% (14)  00.3% (16)
                      104         15          22          1           22        
  32          12
[17] auth             00.5% (20)  01.4% (15)  01.1% (14)  00.6% (17)  00.3% 
(20)  00.3% (23)  00.2% (23)
                      24          6           7           3           2         
  4           2
               ****   00.8% (16)  01.6% (13)  01.4% (15)  00.5% (22)  00.8% 
(16)  00.5% (17)  00.8% (11)
                      100         16          20          3           15        
  17          29
[18] webroot          00.0% (35)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.0%  N/A  00.1% (28)
                      1           0           0           0           0         
  0           1
               ****   00.7% (17)  00.2% (28)  00.3% (26)  00.5% (21)  00.3% 
(26)  01.0% (13)  01.1% ( 8)
                      87          2           5           3           5         
  33          39
[19] form-field       00.2% (27)  00.5% (22)  00.3% (26)  00.2% (21)  00.0%  
N/A  00.4% (18)  00.0%  N/A
                      10          2           2           1           0         
  5           0
               ****   00.6% (18)  00.8% (20)  01.0% (16)  00.8% (15)  00.3% 
(23)  00.4% (18)  00.7% (14)
                      71          8           15          5           6         
  14          23
[20] relpath          00.6% (17)  01.6% (11)  00.3% (25)  00.4% (19)  01.1% ( 
8)  00.3% (27)  00.7% (13)
                      28          7           2           2           8         
  3           6
               ****   00.4% (20)  00.5% (25)  00.3% (27)  01.2% (13)  00.3% 
(22)  00.4% (19)  00.2% (22)
                      43          5           4           8           6         
  12          8
[21] race             01.0% (12)  01.1% (17)  00.9% (16)  00.4% (18)  01.0% 
(12)  01.6% ( 9)  00.7% (14)
                      45          5           6           2           7         
  19          6
               ****   00.2% (27)  00.2% (29)  00.1% (29)  00.8% (16)  00.2% 
(30)  00.2% (27)  00.1% (24)
                      24          2           2           5           3         
  7           5
[22] memleak          00.8% (13)  02.0% ( 9)  00.6% (20)  00.8% (13)  01.0% 
(11)  00.9% (14)  00.2% (25)
                      37          9           4           4           7         
  11          2
               ****   00.2% (28)  00.7% (22)  00.1% (33)  00.2% (29)  00.3% 
(19)  00.1% (30)  00.1% (26)
                      24          7           1           1           6         
  4           5
[23] msdos-device     00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.0%  N/A  00.0%  N/A
                      0           0           0           0           0         
  0           0
               ****   00.5% (19)  01.5% (15)  00.9% (17)  01.7% (10)  00.3% 
(21)  00.3% (22)  00.1% (31)
                      57          15          13          11          6         
  10          2
[24] crlf             00.2% (24)  00.0%  N/A  00.5% (23)  00.2% (25)  00.0%  
N/A  00.4% (17)  00.2% (24)
                      11          0           3           1           0         
  5           2
               ****   00.3% (23)  00.0%  N/A  00.1% (34)  00.0%  N/A  00.7% 
(18)  00.4% (20)  00.3% (19)
                      38          0           1           0           13        
  12          12
[25] spoof            00.2% (25)  00.2% (28)  00.3% (29)  00.0%  N/A  00.0%  
N/A  00.3% (21)  00.5% (16)
                      11          1           2           0           0         
  4           4
               ****   00.3% (25)  01.4% (17)  00.3% (25)  00.2% (28)  00.2% 
(29)  00.2% (25)  00.2% (23)
                      37          14          5           1           3         
  7           7
[26] default          00.2% (26)  00.2% (26)  00.5% (24)  00.0%  N/A  00.1% 
(22)  00.3% (25)  00.2% (26)
                      10          1           3           0           1         
  3           2
               ****   00.3% (24)  01.5% (14)  00.9% (18)  00.2% (26)  00.3% 
(27)  00.0%  N/A  00.1% (29)
                      38          15          13          1           5         
  0           4
[27] sandbox          00.7% (16)  02.7% ( 7)  02.1% ( 8)  00.0%  N/A  00.1% 
(24)  00.2% (28)  00.0%  N/A
                      29          12          14          0           1         
  2           0
               ****   00.1% (33)  00.5% (24)  00.5% (20)  00.0%  N/A  00.2% 
(28)  00.0%  N/A  00.0%  N/A
                      17          5           8           0           4         
  0           0
[28] rand             00.3% (23)  01.4% (16)  00.5% (22)  00.2% (23)  00.1% 
(23)  00.0%  N/A  00.2% (22)
                      13          6           3           1           1         
  0           2
               ****   00.3% (26)  01.1% (18)  00.6% (19)  00.3% (23)  00.2% 
(32)  00.1% (32)  00.1% (28)
                      32          11          9           2           3         
  2           5
[29] upload           00.0% (34)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.1% (32)  00.0%  N/A
                      1           0           0           0           0         
  1           0
               ****   00.4% (21)  00.0%  N/A  00.1% (32)  00.2% (30)  00.3% 
(20)  00.6% (16)  00.4% (15)
                      42          0           1           1           6         
  21          13
[30] signedness       00.5% (19)  00.2% (24)  00.9% (15)  00.9% (12)  00.4% 
(18)  00.6% (15)  00.2% (20)
                      24          1           6           5           3         
  7           2
               ****   00.1% (35)  00.0%  N/A  00.1% (30)  00.6% (19)  00.2% 
(31)  00.1% (28)  00.0%  N/A
                      14          0           2           4           3         
  5           0
[31] dos-release      00.2% (29)  00.9% (19)  00.3% (30)  00.2% (20)  00.0%  
N/A  00.0%  N/A  00.0%  N/A
                      7           4           2           1           0         
  0           0
               ****   00.2% (29)  00.9% (19)  00.5% (21)  00.2% (25)  00.3% 
(25)  00.0%  N/A  00.0%  N/A
                      23          9           8           1           5         
  0           0
[32] CF               00.2% (30)  00.9% (18)  00.2% (31)  00.2% (24)  00.0%  
N/A  00.0%  N/A  00.1% (29)
                      7           4           1           1           0         
  0           1
               ****   00.2% (30)  00.6% (23)  00.4% (23)  00.2% (24)  00.0%  
N/A  00.1% (29)  00.1% (27)
                      22          6           6           1           0         
  4           5
[33] eval-inject      00.1% (31)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.3% (22)  00.2% (21)
                      6           0           0           0           0         
  4           2
               ****   00.2% (31)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.1% 
(34)  00.2% (26)  00.3% (20)
                      19          0           0           0           1         
  7           11
[34] design           00.1% (33)  00.2% (23)  00.3% (27)  00.2% (22)  00.0%  
N/A  00.1% (30)  00.0%  N/A
                      5           1           2           1           0         
  1           0
               ****   00.2% (32)  00.7% (21)  00.4% (24)  00.0%  N/A  00.1% 
(33)  00.1% (31)  00.1% (32)
                      18          7           6           0           1         
  2           2
[35] double-free      00.4% (22)  00.0%  N/A  00.3% (28)  00.8% (14)  00.8% 
(14)  00.3% (24)  00.4% (18)
                      19          0           2           4           6         
  4           3
               ****   00.0% (37)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.0% (33)  00.0% (33)
                      2           0           0           0           0         
  1           1
[36] type-check       00.2% (28)  00.7% (21)  00.6% (21)  00.0%  N/A  00.0%  
N/A  00.1% (31)  00.0%  N/A
                      8           3           4           0           0         
  1           0
               ****   00.1% (36)  00.3% (27)  00.3% (28)  00.0%  N/A  00.0%  
N/A  00.0%  N/A  00.0% (34)
                      8           3           4           0           0         
  0           1
[37] CSRF             00.0% (36)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.1% (29)  00.0%  N/A
                      1           0           0           0           0         
  1           0
               ****   00.1% (34)  00.0%  N/A  00.1% (31)  00.0%  N/A  00.3% 
(24)  00.2% (24)  00.1% (30)
                      15          0           1           0           5         
  7           2
-------------------------
UNKNOWN/UNSPECIFIED ITEMS
-------------------------
n/a  unk              16.0%  N/A  12.4%  N/A  12.6%  N/A  10.4%  N/A  12.2%  
N/A  16.1%  N/A  27.2%  N/A
                      708         55          83          55          90        
  193         232
               ****   06.4%  N/A  06.0%  N/A  04.6%  N/A  04.2%  N/A  06.6%  
N/A  06.3%  N/A  07.7%  N/A
                      752         59          68          27          119       
  209         270
n/a  other            16.4%  N/A  15.3%  N/A  15.6%  N/A  12.0%  N/A  12.2%  
N/A  14.4%  N/A  26.6%  N/A
                      724         68          103         63          90        
  173         227
               ****   14.8%  N/A  17.3%  N/A  20.6%  N/A  11.8%  N/A  19.2%  
N/A  12.6%  N/A  12.1%  N/A
                      1744        171         304         76          345       
  422         426
n/a  not-specified    14.3%  N/A  00.2%  N/A  05.9%  N/A  26.0%  N/A  24.6%  
N/A  22.2%  N/A  00.8%  N/A
                      631         1           39          137         181       
  266         7
               ****   04.2%  N/A  00.1%  N/A  01.8%  N/A  15.9%  N/A  05.8%  
N/A  07.4%  N/A  00.2%  N/A
                      490         1           27          103         105       
  247         7



==================================================
===== Table 4: Open and Closed Source (OS vendors)
==================================================


                         TOTAL        2001        2002        2003        2004  
      2005        2006
                      ----------  ----------  ----------  ----------  
----------  ----------  ----------
[ 1] buf              19.7% ( 1)  20.3% ( 1)  24.6% ( 1)  25.0% ( 1)  24.5% ( 
1)  14.6% ( 1)  17.1% ( 1)
               ****   20.4% ( 1)  20.3% ( 1)  27.7% ( 1)  26.1% ( 1)  15.3% ( 
1)  18.5% ( 1)  16.3% ( 1)
[ 2] link             06.4% ( 2)  14.0% ( 2)  04.8% ( 3)  04.9% ( 2)  08.6% ( 
2)  06.1% ( 2)  02.4% ( 5)
               ****   01.6% ( 6)  01.0% (17)  01.8% ( 9)  03.0% ( 2)  01.9% ( 
5)  00.8% ( 7)  01.6% ( 6)
[ 3] dos-malform      02.8% ( 5)  02.7% ( 7)  04.4% ( 4)  02.6% ( 6)  03.5% ( 
5)  01.7% ( 8)  03.3% ( 4)
               ****   05.3% ( 2)  09.2% ( 2)  08.1% ( 2)  02.5% ( 3)  07.3% ( 
2)  02.1% ( 3)  03.9% ( 3)
[ 4] XSS              04.6% ( 3)  02.7% ( 8)  05.9% ( 2)  03.0% ( 5)  01.4% 
(10)  05.5% ( 3)  07.1% ( 2)
               ****   02.3% ( 3)  00.5% (22)  03.6% ( 4)  02.5% ( 4)  00.8% ( 
8)  02.1% ( 4)  03.2% ( 4)
[ 5] format-string    04.0% ( 4)  08.6% ( 3)  02.9% ( 6)  03.0% ( 4)  04.9% ( 
3)  03.7% ( 4)  02.4% ( 6)
               ****   00.8% (16)  01.4% (13)  00.6% (17)  02.0% ( 5)  00.4% 
(18)  00.8% (10)  00.3% (17)
[ 6] int-overflow     02.6% ( 6)  00.0%  N/A  02.2% ( 7)  03.4% ( 3)  04.0% ( 
4)  02.2% ( 7)  03.5% ( 3)
               ****   01.7% ( 5)  00.0%  N/A  00.0%  N/A  01.0% ( 7)  03.4% ( 
3)  00.8% ( 8)  04.2% ( 2)
[ 7] priv             02.3% ( 7)  05.4% ( 4)  01.8% ( 8)  01.5% (12)  01.2% 
(11)  02.3% ( 5)  02.2% ( 7)
               ****   01.8% ( 4)  01.9% ( 8)  03.0% ( 6)  00.0%  N/A  00.4% 
(16)  03.4% ( 2)  00.8% (13)
[ 8] perm             02.2% ( 8)  05.4% ( 5)  01.1% (13)  01.9% ( 8)  01.7% ( 
7)  02.3% ( 6)  01.4% ( 9)
               ****   01.6% ( 7)  02.4% ( 6)  03.3% ( 5)  00.5% (11)  00.4% 
(12)  00.8% (12)  01.8% ( 5)
[ 9] dot              01.5% (10)  00.5% (18)  01.8% ( 9)  01.1% (15)  02.0% ( 
6)  01.4% (12)  01.6% ( 8)
               ****   01.2% (10)  01.9% (10)  00.9% (13)  01.0% ( 9)  01.5% ( 
7)  00.5% (18)  01.6% ( 7)
[10] infoleak         01.1% (13)  00.5% (19)  01.5% (12)  01.1% (13)  01.2% 
(12)  01.0% (14)  01.4% (10)
               ****   01.1% (13)  01.4% (12)  00.9% (12)  01.0% ( 8)  00.4% 
(17)  01.6% ( 5)  01.1% (10)
[11] metachar         01.5% ( 9)  03.2% ( 6)  02.9% ( 5)  01.5% (11)  00.6% 
(15)  01.4% (11)  00.5% (15)
               ****   00.5% (18)  01.0% (18)  01.2% (11)  00.0%  N/A  00.4% 
(14)  00.5% (15)  00.0%  N/A
[12] race             01.4% (11)  02.3% ( 9)  01.8% (10)  00.4% (19)  01.7% ( 
8)  01.6% ( 9)  00.8% (13)
               ****   00.3% (24)  00.0%  N/A  00.0%  N/A  00.5% (10)  00.0%  
N/A  00.8% (14)  00.3% (21)
[13] sql-inject       01.2% (12)  00.5% (21)  00.7% (18)  01.9% ( 9)  00.9% 
(13)  01.6% (10)  01.4% (11)
               ****   00.4% (19)  00.0%  N/A  00.6% (18)  00.5% (20)  00.4% 
(13)  00.0%  N/A  00.8% (14)
[14] memleak          00.9% (14)  00.0%  N/A  00.7% (16)  01.1% (14)  01.4% ( 
9)  01.2% (13)  00.3% (24)
               ****   00.9% (15)  04.3% ( 4)  00.3% (19)  00.5% (12)  00.0%  
N/A  00.8% (13)  00.3% (19)
[15] crypt            00.7% (16)  01.8% (11)  00.7% (15)  01.9% ( 7)  00.0%  
N/A  00.4% (18)  00.3% (21)
               ****   00.9% (14)  01.0% (16)  02.1% ( 7)  00.0%  N/A  00.8% 
(11)  00.5% (16)  00.5% (15)
[16] sandbox          00.2% (26)  00.5% (15)  00.0%  N/A  00.0%  N/A  00.3% 
(20)  00.3% (23)  00.0%  N/A
               ****   01.4% ( 8)  05.3% ( 3)  04.2% ( 3)  00.0%  N/A  00.0%  
N/A  00.0%  N/A  00.0%  N/A
[17] dos-flood        00.3% (21)  01.4% (12)  00.4% (24)  00.0%  N/A  00.0%  
N/A  00.3% (24)  00.0%  N/A
               ****   01.1% (11)  03.9% ( 5)  00.9% (14)  00.5% (14)  00.8% ( 
9)  00.3% (19)  01.3% ( 8)
[18] relpath          00.6% (17)  01.8% (10)  00.7% (17)  00.4% (18)  00.3% 
(16)  00.4% (19)  00.5% (18)
               ****   00.7% (17)  01.4% (14)  00.0%  N/A  00.5% (13)  01.9% ( 
6)  00.0%  N/A  01.1% (12)
[19] auth             00.1% (28)  00.5% (16)  00.0%  N/A  00.0%  N/A  00.3% 
(17)  00.0%  N/A  00.3% (20)
               ****   01.2% ( 9)  02.4% ( 7)  02.1% ( 8)  01.5% ( 6)  00.4% 
(15)  01.0% ( 6)  00.3% (18)
[20] pass             00.0% (32)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.1% (28)  00.0%  N/A
               ****   01.1% (12)  00.5% (20)  01.5% (10)  00.5% (16)  02.3% ( 
4)  00.8% (11)  01.1% ( 9)
[21] signedness       00.8% (15)  00.5% (17)  01.8% (11)  01.5% (10)  00.3% 
(19)  00.6% (17)  00.5% (16)
               ****   00.2% (29)  00.0%  N/A  00.0%  N/A  00.5% (17)  00.0%  
N/A  00.5% (17)  00.0%  N/A
[22] double-free      00.6% (18)  00.0%  N/A  00.4% (22)  01.1% (16)  00.9% 
(14)  00.3% (25)  00.8% (12)
               ****   00.2% (28)  00.0%  N/A  00.0%  N/A  00.5% (19)  00.8% 
(10)  00.3% (21)  00.0%  N/A
[23] spoof            00.2% (23)  00.0%  N/A  00.7% (20)  00.0%  N/A  00.0%  
N/A  00.4% (21)  00.0%  N/A
               ****   00.3% (22)  00.5% (23)  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.3% (20)  01.1% (11)
[24] form-field       00.4% (20)  00.5% (20)  00.7% (19)  00.4% (20)  00.0%  
N/A  00.7% (16)  00.0%  N/A
               ****   00.1% (31)  00.5% (21)  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.0%  N/A  00.0%  N/A
[25] crlf             00.5% (19)  00.0%  N/A  01.1% (14)  00.0%  N/A  00.0%  
N/A  00.7% (15)  00.5% (17)
               ****   00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.0%  N/A  00.0%  N/A
[26] rand             00.2% (22)  00.9% (13)  00.4% (21)  00.4% (17)  00.0%  
N/A  00.0%  N/A  00.3% (22)
               ****   00.3% (23)  01.9% ( 9)  00.3% (22)  00.0%  N/A  00.0%  
N/A  00.0%  N/A  00.0%  N/A
[27] default          00.1% (29)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.3% 
(18)  00.0%  N/A  00.3% (23)
               ****   00.4% (20)  00.5% (24)  00.6% (16)  00.0%  N/A  00.0%  
N/A  00.8% ( 9)  00.3% (16)
[28] dos-release      00.1% (27)  00.5% (22)  00.4% (23)  00.4% (21)  00.0%  
N/A  00.0%  N/A  00.0%  N/A
               ****   00.2% (27)  01.4% (11)  00.3% (21)  00.0%  N/A  00.0%  
N/A  00.0%  N/A  00.0%  N/A
[29] type-check       00.0% (34)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.1% (26)  00.0%  N/A
               ****   00.3% (21)  01.4% (15)  00.9% (15)  00.0%  N/A  00.0%  
N/A  00.0%  N/A  00.0%  N/A
[30] CF               00.1% (30)  00.9% (14)  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.0%  N/A  00.0%  N/A
               ****   00.2% (26)  01.0% (19)  00.0%  N/A  00.5% (18)  00.0%  
N/A  00.0%  N/A  00.3% (22)
[31] eval-inject      00.2% (24)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.4% (20)  00.5% (14)
               ****   00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.0%  N/A  00.0%  N/A
[32] php-include      00.2% (25)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.4% (22)  00.3% (19)
               ****   00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.0%  N/A  00.0%  N/A
[33] design           00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.0%  N/A  00.0%  N/A
               ****   00.2% (25)  00.5% (25)  00.3% (20)  00.5% (15)  00.0%  
N/A  00.3% (22)  00.0%  N/A
[34] webroot          00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.0%  N/A  00.0%  N/A
               ****   00.1% (30)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.0%  N/A  00.3% (20)
[35] upload           00.0% (33)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.1% (29)  00.0%  N/A
               ****   00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.0%  N/A  00.0%  N/A
[36] CSRF             00.0% (31)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.1% (27)  00.0%  N/A
               ****   00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  
N/A  00.0%  N/A  00.0%  N/A
-------------------------
UNKNOWN/UNSPECIFIED ITEMS
-------------------------
n/a  unk              09.7%  N/A  12.2%  N/A  10.3%  N/A  04.5%  N/A  07.8%  
N/A  11.5%  N/A  10.1%  N/A
               ****   25.7%  N/A  13.0%  N/A  15.7%  N/A  20.1%  N/A  23.0%  
N/A  26.9%  N/A  45.0%  N/A
n/a  other            19.3%  N/A  13.1%  N/A  20.6%  N/A  15.7%  N/A  10.4%  
N/A  15.9%  N/A  39.4%  N/A
               ****   12.4%  N/A  18.8%  N/A  12.7%  N/A  05.0%  N/A  14.9%  
N/A  10.7%  N/A  12.4%  N/A
n/a  not-specified    13.4%  N/A  00.0%  N/A  04.4%  N/A  21.6%  N/A  21.9%  
N/A  20.5%  N/A  00.8%  N/A
               ****   13.2%  N/A  00.5%  N/A  06.3%  N/A  28.6%  N/A  22.6%  
N/A  24.3%  N/A  00.5%  N/A