The sigmoidal growth of operating system security vulnerabilities: An empirical revisit

Abstract

Purpose. Motivated by the calls for more replications, this paper evaluates a theoretical model for the sigmoidal growth of operating system security vulnerabilities by replicating and extending the existing empirical evidence. Approach. The paper investigates the growth of software security vulnerabilities by fitting the linear, logistic, and Gompertz growth models with nonlinear least squares to time series data that covers a number of operating system products from Red Hat and Microsoft. Results. Although the fitted models are not free of statistical problems, the empirical results show that a sigmoidal growth function can be used for descriptive purposes. The paper further shows that a sigmoidal trend applies also to the number of software faults that were fixed in the Red Hat products. Conclusion. The paper supports the contested theoretical growth model. The few discussed theoretical problems can be used to develop the model further.