Nevertheless, there’s a elementary drawback with the zero CVEs idea in observe. Particularly, the one approach to get near zero CVEs at scale is to all the time improve to the newest upstream code. This will get you the newest safety patches, but additionally brings with it new options, new bugs, new regressions, new incompatibilities, configuration modifications, and so forth. In different phrases, now we have to acknowledge that any code change can additional introduce new vulnerabilities (or instabilities) that could be worse than the vulnerability corrected.
The problem is that not each single software program flaw is a risk (or a severe risk) to safety, particularly given the rising tide of CVEs. For instance, there have been about 30,000 CVEs recorded in 2023, however almost 40,000 in 2024.
There are numerous variables feeding this CVE inflation. The listing consists of will increase within the variety of programmers writing code, AI code turbines serving to them, the sheer quantity of recent code being written, a rise within the complexity of that code, and incentives for each safety researchers in addition to hackers. For instance, college students and safety researchers are incentivized to seek out and report CVEs by monetary, educational, and personal-brand-based rewards. Worse, with the AI wars coming, we will anticipate discovery of recent CVEs to extend quickly. An arms race is coming the place AI will help in discovery of recent CVEs in addition to patching them. The last word final result may very well be absurd code churn. Some upstream tasks even refuse to just accept bugs discovered by AI, successfully making a denial of service assault on builders.
