1. 26

  2. 3

    Over the course of its lifetime, there have been 69 security bugs in Firefox’s style component. If we’d had a time machine and could have written this component in Rust from the start, 51 (73.9%) of these bugs would not have been possible.

    Note that this independently validates Microsoft’s finding that 70 percent of all security bugs are memory safety issues. It’s fairly precise; we can be pretty sure it’s not 60% and also not 80%.

    1. 3

      Around 70 percent of all the vulnerabilities in Microsoft products

      I think it’s more of a coincidence. As others in the comments you link to point out, companies can choose to invest in more tools for finding these bugs in validation before release, and conceivably have a lower percentage of ‘memory safety bugs’. It’s a coincidence because as of now there are only two data points presented, and that’s not enough to validate anything.

      1. 1

        I don’t think you can classify a large number of microsoft products as one data point.

        1. 2

          They’re large, real-world projects often build by different teams. Definitely multiple, data points. Each project itself might count as multiple, data points if it has a lot of different kinds of components. A product like Word is like piles of tiny projects in FOSS put together.