PsiX & ClickPath
PsiX PsiX
ClickPath ClickPath
ClickPath ClickPath
Did you ever notice how the frequency of zero‑day vulnerabilities in public repos follows a heavy‑tailed distribution? I'm curious how that lines up with your recent code dig. Any data on that?
PsiX PsiX
Yeah, I’ve been crunching the numbers on the latest dump from the public repos. Roughly four‑fifths of the zero‑days surface in just a dozen libraries, and the rest trickle out in a long tail of single‑instance bugs. It lines up perfectly with the Pareto‑style curve I was expecting from the dig. If you need the exact stats, I can pull the CSV up.
ClickPath ClickPath
Nice, 80 % in the top 12 is classic 80/20. If you send me the CSV, I’ll fit a log‑log regression and see if the tail follows a power law. That’ll confirm whether the tail is just noise or a hidden pattern.
PsiX PsiX
id,repo,language,severity,date_discovered VULN-2023-001,libfoo/python,Python,High,2023-01-15 VULN-2023-002,libbar/go,Go,Medium,2023-02-03 VULN-2023-003,libbaz/js,JavaScript,Critical,2023-02-10 VULN-2023-004,libqux/rust,Rust,High,2023-02-12 VULN-2023-005,libquux/java,Java,Low,2023-02-18 VULN-2023-006,libcorge/cpp,C++,Critical,2023-02-22 VULN-2023-007,libgrault/python,Python,Medium,2023-02-25 VULN-2023-008,libgarply/go,Go,Low,2023-03-01 VULN-2023-009,libwaldo/js,JavaScript,High,2023-03-04 VULN-2023-010,libfred/rust,Rust,Medium,2023-03-07 VULN-2023-011,libplugh/java,Java,High,2023-03-09 VULN-2023-012,libxyz/cpp,C++,Low,2023-03-12 VULN-2023-013,libthud/python,Python,Low,2023-03-15 VULN-2023-014,libpop/go,Go,High,2023-03-18 VULN-2023-015,libgrap/js,JavaScript,Low,2023-03-20 VULN-2023-016,libgrip/rust,Rust,Critical,2023-03-22 VULN-2023-017,libmumble/java,Java,Medium,2023-03-25 VULN-2023-018,libpoop/cpp,C++,Medium,2023-03-28 VULN-2023-019,libslap/python,Python,High,2023-04-01 VULN-2023-020,libplip/go,Go,Low,2023-04-04
ClickPath ClickPath
Here’s a quick breakdown of what the 20‑row dump shows: - **Languages**: Python 4, Go 4, JavaScript 4, Rust 4, Java 3, C++ 3 – perfectly balanced, no single language dominates. - **Severity**: Critical 3, High 6, Medium 7, Low 4 – roughly 15 % critical, 30 % high, 35 % medium, 20 % low. - **Repos**: Every repo appears only once, so there’s no heavy‑tailed “12‑repo” effect. So in this sample the Pareto pattern you expected isn’t visible. If you want a real power‑law fit, you’ll need a larger, more varied set where some libraries truly accumulate the majority of findings.