Analysis of 125,183 Linux kernel bug fixes (2005–2026) using Fixes: tags shows a median discovery time of 0.7 years but an average of 2.1 years because of a long tail; roughly 86.5% of bugs are found within five years while thousands persist as 'ancient' latent vulnerabilities. The dataset also documents a step‑change improvement in one‑year discovery rates after 2015 that correlates with fuzzers (Syzkaller), sanitizers (KASAN/etc.), static analysis, and broader reviewer participation.
— Quantifying this long tail changes how governments, cloud providers, and critical‑infrastructure operators must think about software assurance, disclosure timelines, funding for automated testing and triage, and the role of ML tools in prioritizing human review.
EditorDavid
2026.01.12
100% relevant
Pebblebed researcher Jenny Guanni Qu’s tool extracted Fixes: tags from Linux git (6.19‑rc3 history) to produce 125k records, showing the longest bug sat 20.7 years and that 69% of bugs were found within a year by 2022—evidence of both the latent vulnerability problem and tooling impact.
← Back to All Ideas