A precise vulnerability discovery model (VDM) will provide a useful insightto assess software security, and could be a good prediction instrument for bothsoftware vendors and users to understand security trends and plan aheadpatching schedule accordingly. Thus far, several models have been proposed andvalidated. Yet, no systematically independent validation by somebody other thanthe author exists. Furthermore, there are a number of issues that might biasprevious studies in the field. In this work, we fill in the gap by introducingan empirical methodology that systematically evaluates the performance of a VDMin two aspects: quality and predictability. We further apply this methodologyto assess existing VDMs. The results show that some models should be rejectedoutright, while some others might be adequate to capture the discovery processof vulnerabilities. We also consider different usage scenarios of VDMs and findthat the simplest linear model is the most appropriate choice in terms of bothquality and predictability when browsers are young. Otherwise, logistics-basedmodels are better choices.
展开▼