CVE Details is a website that tracks bugs in various software systems, aggregating the data and issuing an “award” for the software that has the most reported bugs in any given year.
This year, Android topped the list by a wide margin, with a staggering 523 reported security issues. The runner up, Debian Linux, placed a distant second with 319 vulnerabilities.
Surprisingly, Adobe’s Flash Player reported 266. That’s still a staggering number, but far fewer than one might expect given how many times it’s been in the news.
At first glance, the sheer number of Android bugs is both shocking and alarming, but it’s important to note the limitations of the list. It does not take issue severity into account. Many of the Android bugs reported in 2016 were relatively minor flaws whose fixes were rolled into patches designed to fix more pressing issues.
This is the reason that Adobe captured more headlines, even though they came in fourth place with Flash Player. A greater percentage of the bugs reported were critical flaws.
Limitations aside, there is some value to these statistics, and it’s a good broad measure of the state of security in programs your company probably relies a great deal on.
Being “awarded” with top honors by CVE Details is hardly a reason to cheer, but it’s not the end of the world. Seeing Android at the top of the list, for example, is not a sufficient reason to trade all your Android devices in for handhelds running iOS. After all, last year, Apple products reported a mind-boggling 7008 security vulnerabilities.
The point is, just about every major tech company takes a turn “winning” this award, so while it’s important to keep track of, it’s also important to take the finding with a grain of salt.