Analysis of Human Factors in 125,000 Linux Kernel Vulnerabilities: Who Writes Bugs and When
By
MBCook
Hot, fresh, and worth queueing round the block for.
Summary
This article analyzes 125,000 Linux kernel vulnerabilities to understand the human factors behind bug introduction. It examines who writes buggy code, when vulnerabilities are introduced, and identifies super-reviewers who catch bugs. The analysis reveals that most vulnerabilities are introduced by experienced developers, not newcomers, and that bugs are more likely to be introduced during certain times (like late-night coding). The article also discusses practical interventions to reduce vulnerability introduction rates.
Key quotes
· 4 pulledThis time I asked different questions: Who writes the buggy code? When do they write it? And who are the super-reviewers who catch bugs
I analyzed 125,000 kernel bugs and found they hide for 2.1 years on average, with race conditions surviving over twice as long as other bug types
But that analysis treated bugs as abstract data points
This post digs into the human side: who introduces vulnerabilities, when they do it, and what we can do about it
You might also wanna read
AI-assisted vulnerability discovery raises concerns about Linux kernel security
This opinion article discusses a troubling trend in Linux security where AI-powered tools are being used to discover and exploit kernel vuln
theregister.com·1d ago
AI security audit of FreeBSD kernel reveals 15 bugs including RCEs and a hypervisor escape
An AI audit of FreeBSD uncovered 15 kernel bugs, including 3 remote code execution vulnerabilities, 5 local privilege escalation flaws, and
blog.calif.io·3d ago