Seasonal Variation in the Vulnerability Discovery Process

Vulnerability discovery rates need to be taken into account for evaluating security risks. Accurate projection of these rates is required to estimate the effort needed to develop patches for handling vulnerabilities discovered. Seasonal behaviors of the vulnerability discovery process for a multi-year life-cycle of software products are examined. A careful inspection of the data for several major operating systems, web servers and web browsers suggests presence of a seasonal behavior that is not considered by the vulnerability discovery models. This paper examines the statistical significance of the annual seasonal pattern in the vulnerability discovery rates using the seasonal index approach. The autocorrelation function is used to identify the periodicity. A time series analysis that combines thelonger term trends with cycles caused by seasonality may predict the future pattern more accurately. The analysis of the datasets for eight major operating systems and four web related software systems (Windows NT, XP, 2000, Server 2003, MAC OS X, HPUX, Solaris, Red Hat Linux, IIS, Apache, Internet Explorer and Firefox) shows that there is indeed anannual seasonal pattern. While all the programs exhibit a year-end peak, a higher incidence is also observed during the mid-year months for Microsoft products.