Quantifying Cross-Release Vulnerability Discovery in Software: A Multi-Release Modeling Approach
DOI:
https://doi.org/10.13052/jgeu0975-1416.1416Keywords:
Multi-release software, patch, security, vulnerability discovery models (VDMs)Abstract
Software Vulnerability Discovery Models (VDMs) help understand how security flaws are identified in software after release. Traditionally, most models focus on a single release and assume vulnerabilities are discovered independently. However, modern software often exists in multiple versions that share a significant portion of code. This shared structure means that discovering a vulnerability in one version can also help identify similar issues in other versions: a phenomenon referred to as cross-discovery. In this paper, the author extends the traditional VDM framework to model multiple software releases simultaneously, enabling interaction between versions via cross-discovery. Unlike existing multi-release models that use constant values for shared-code influence, the author proposes a new model that introduces time-dependent cross-discovery coefficients. These functions reflect how the influence between software versions changes over time, making the model more realistic.
The author applies the proposed model to real-world data from two popular Windows operating system versions, Windows XP and Windows Vista. The proposed model accurately captures both within-release discoveries and those triggered by interaction with the other version. The author estimates parameters, validates results using statistical measures, and visualizes predicted and actual trends. The results show that the proposed approach provides deeper insights into how vulnerabilities are found across multiple software releases, supporting better software maintenance and security planning.
Downloads
References
Krsul, I. V. (1998). Software vulnerability analysis. West Lafayette, IN: Purdue University.
Massacci, F., and Nguyen, V. H. (2014). An empirical methodology to evaluate vulnerability discovery models. IEEE Transactions on Software Engineering, 40(12), 1147–1162.
Rescorla, E. (2005). Is finding security holes a good idea?. IEEE Security & Privacy, 3(1), 14–19.
Needham, R. M. (2002). Security and open source. Open Source Software Economics.
Alhazmi, O. H., and Malaiya, Y. K. (2005, November). Modeling the vulnerability discovery process. In 16th IEEE International Symposium on Software Reliability Engineering (ISSRE’05) (pp. 10-pp). IEEE.
Woo, S. W., Joh, H., Alhazmi, O. H., and Malaiya, Y. K. (2011). Modeling vulnerability discovery process in Apache and IIS HTTP servers. Computers & Security, 30(1), 50–62.
Alhazmi, O. H., Malaiya, Y. K., and Ray, I. (2007). Measuring, analyzing and predicting security vulnerabilities in software systems. Computers & Security, 26(3), 219–228.
Joh, H., Kim, J., and Malaiya, Y. K. (2008, November). Vulnerability discovery modeling using Weibull distribution. In 2008 19th International Symposium on Software Reliability Engineering (ISSRE) (pp. 299–300). IEEE.
Younis, A., Joh, H., and Malaiya, Y. (2011). Modeling learningless vulnerability discovery using a folded distribution. In Proc. of SAM (Vol. 11, pp. 617–623).
Joh, H., and Malaiya, Y. K. (2014). Modeling skewness in vulnerability discovery. Quality and Reliability Engineering International, 30(8), 1445–1459.
Kapur, PK, Sachdeva, N, Khatri, SK. (2015). Vulnerability Discovery Modeling. International Conference on Quality, Reliability, Infocom Technology and Industrial Technology Management 34–54.
Anand, A., and Bhatt, N. (2016). Vulnerability Discovery Modeling and Weighted Criteria Based Ranking. Journal of the Indian Society for Probability and Statistics, 1–10.
Bhatt, N., Anand, A., Yadavalli, V.S.S. and Kumar, V. (2017) ‘Modeling and Characterizing Software Vulnerabilities’, International Journal of Mathematical, Engineering and Management Sciences, Vol. 2, No. 4, pp. 288–299
Bhatt, N., Anand, A., and Aggrawal, D. (2020). Improving system reliability by optimal allocation of resources for discovering software vulnerabilities. International Journal of Quality & Reliability Management, 37(6/7), 1113–1124.
Anand, A., Bhatt, N., and Aggrawal, D. (2020). Modeling software patch management based on vulnerabilities discovered. International Journal of Reliability, Quality and Safety Engineering, 27(02), 2020.
Anand, A., Bhatt, N., and Alhazmi, O. H. (2021). Modeling software vulnerability discovery process inculcating the impact of reporters. Information Systems Frontiers, 23(3), 709–722.
Anand, A., Bhatt, N., and Alhazmi, O. H. (2021). Vulnerability discovery modelling: a general framework. International Journal of Information and Computer Security, 16(1/2), 192–206.
Anand, A., Aggrawal, D., and Alhazmi, O. H. (2025). Multi-Phase Modeling for Vulnerability Detection & Patch Management: An Analysis Using Numerical Methods. Computers, Materials & Continua, 84(1).
Divya, Anand, A., Bhatt, N., and Johri, P. (2025). Assessing the impact of software patching on vulnerabilities: A comprehensive framework for faulty and safe patches. International Journal of Reliability, Quality and Safety Engineering, 32(02), 2450031.
Kim, J., Malaiya, Y. K., and Ray, I. (2007, November). Vulnerability discovery in multi-version software systems. In High Assurance Systems Engineering Symposium, 2007. HASE’07. 10th IEEE (pp. 141–148). IEEE.
Anand, A., Das, S., Aggrawal, D., and Klochkov, Y. (2017). Vulnerability Discovery Modelling for Software with Multi-versions. In Advances in Reliability and System Engineering (pp. 255–265). Springer International Publishing.
Kapur PK, Pham H, Gupta A, Jha PC. (2011) Software Reliability assessment with OR application. Springer: Berlin.
Windows Xp (2018). Vulnerability Statistics. http://www.cvedetails.com/product/739/Microsoft-Windows-Xp.html?vendor_id=26.
Windows Vista (2018). Vulnerability Statistics. https://www.cvedetails.com/product/9591/Microsoft-Windows-Vista.html?vendor_id=26.
