A growing trend
Over the course of a decade, our researchers have observed many shifts in the vulnerability disclosure landscape. As leaders in the vulnerability intelligence space, we have seen the fall of Bugtraq, the steady rise of Patch Tuesday, and experienced the full force of the Vulnerability Fujiwhara Effect.
However, our vulnerability researchers are seeing a continually growing trend, one that will likely continue to skyrocket as new technologies and software continue to come to market. GitHub has become a significant medium for vulnerability information and disclosures.
Despite being a software development tool, GitHub has over 94,000 references affecting over 45,000 vulnerabilities. Here is a breakdown of vulnerabilities with external references to GitHub within the last ten years, by date of first disclosure:
Based on the trend, we might have assumed that the number of GitHub vulnerabilities would have continued to increase, maybe even jump considerably in recent years. But despite 2016 – 2017’s meteoric rise, it seems that since 2018, vulnerability disclosures have plateaued. This isn’t from lackluster monitoring, since VulnDB is constantly expanding its already substantial coverage of third-party libraries and disclosures via GitHub as a whole. We’ll dig more into this trend as more data becomes available. But regardless, the message is loud and clear: GitHub has emerged as a major player in the vulnerability disclosure landscape.
What type of vulnerability references can be found in GitHub?
Before we jump to conclusions for 2021, let’s take a look at last year’s GitHub vulnerabilities:
- Vendor Specific Solution URL – This generally includes pull requests and fixing commits. There are times where a single issue may lead to fixes in different trees via multiple pull requests.
- Bug Tracker – Our general term for a bug tracker like JIRA or Mantis. In GitHub, they are called ‘Issues’.
- General Exploit URL – This is when a repo is created that hosts exploit code for a specific, previously disclosed issue. This generally is not used for the initial disclosure, only exploit code.
- Other Advisory – A repo created to disclose a new vulnerability that may or may not contain exploit code.
Overall, these numbers are interesting and encouraging. First off, it shows that GitHub is doing exactly what it was meant to do, which is making open source projects more transparent. Seeing so many references to solutions is good for organizations aiming to remediate every vulnerability. Since these solution URLs are typically in third-party libraries, it is a great benefit to have the details to fix issues here, rather than having to scour CVE/NVD (which often does not have that information at all)!
What this could mean for the future
In the late 90’s and early 00’s, a significant number of disclosures occurred on Bugtraq and Full Disclosure mail lists. Then, as Milw0rm, Packetstorm, and Exploit Database gained popularity, disclosures shifted to those platforms. Next, our researchers noted the rise of easy-to-use blogs like WordPress and Blogspot. Since then, these personal researcher blogs have increased over time and continue to be a steady source of information for VulnDB.
Monitoring these can be tricky since new blogs are created every day and locating new ones that have vulnerabilities is a challenge. Now, it is clear that GitHub is a major player in the vulnerability disclosure landscape. But is it destined to stay, and if so, for how long?
So far, it seems that GitHub’s use for vulnerability disclosure will continue to grow in numbers. The initial jump and high numbers isn’t seen on similar developer-oriented platforms like SourceForge or Gitee, only GitHub. This speaks to GitHub’s domination of the space and accounting for backfill, we will likely see vulnerability disclosures in 2019 and 2020 rise. It will be interesting to see how 2021 ends and whether the numbers of vulnerabilities will continue to slightly trend downward, or start to climb.
If GitHub vulnerability disclosures continue to grow, or spike as we saw in 2017, that could have an impact on the security industry as a whole. If GitHub continues to be a de facto source for third-party libraries and OSS vulnerabilities, security professionals need to take note and ensure it is part of their tracking and research process.
As we saw with personal researcher blogs, it will be a challenge for organizations to keep track of GitHub’s more than 100 million repositories. If GitHub continues its vulnerability disclosure trend, developers and product security experts will need comprehensive vulnerability intelligence that is actively monitoring and tracking this source.