The number of publicly reported unique vulnerabilities has risen year after year.
There was a brief decrease and stabilization in 2015 – 2016, but those are the only years in the over two decades (1999 – on) I have been following vulnerability metrics. Other than that, it has been up, up, up.
Article Summary
- AI will create more vulnerabilities and more zero-day vulnerabilities
- Zero-days are the majority of vulnerabilities found these days
- Good patch management is more important than ever
Last year, the number of unique publicly announced vulnerabilities (CVEs) was over 48,000. It is on pace to be over 57,000 this year so far. But I think the final end-of-the-year figure will be over 100,000, mostly zero days, and faster.
Why?
Well, first, more software and more lines of code. AI “vibe coding” is going to produce more software and far more lines of code than ever before. People who have never programmed in their lives are making software. Programmers are making more software.
How much more? I have not seen any firm metrics, but it is far more than a 100% increase year over year.
Just from a pure numbers alone perspective, all other things considered equal, more lines of code means more bugs.
Unfortunately, most of the people coding are not doing any threat modeling (that was true before AI vibe coding was around). Most coders are not trained in secure development lifecycle (SDL) practices. Most vibe coders are not even doing any cursor security testing, code review, or anything that they should be doing cybersecurity-wise. This was always the case for most programmers, but it is definitely a bigger problem in vibe coding.
Sure, you can tell the AI to review your code, threat model it, and do all the things you are supposed to do. Most vibe coders will not be doing that. Most non-programmers will not be doing that. The programmers who have always done those things will still be doing those things (I guess), but a huge number of new “coders” will not, even though it is easier to do than ever before. They have never heard of secure coding, testing, and penetration testing. They will never do it.
So, all other things considered equal, you get more bugs. AI could easily write more secure code, but so far it has not. That makes sense, because AI is trained on human-created code mostly, and humans create lots of bugs. Maybe one day…maybe one day soon, AI will produce more secure code or even flawless code, but until then, expect more bugs.
I do expect that one day, the base AI vendors will improve their coding models so that AI produces nearly flawless code. It will never be flawless, but they should be able to wring out all the easy, common bugs. At the same time, software interaction complexity has never been greater, and AI is just making it more complex. Complexity is the antithesis of security, so whatever bugs AI helps remove from our core coding will be replaced with far more complex bugs from increased complexity. The battle never ends.
I even expect bugs produced by AI to be more widely spread across far more implemented software programs and services. That is because AI is the ultimate code borrower. Like GitHub borrowing, but on steroids. Although we have already seen a single vulnerability impact millions of deployed instances of something (e.g., the log4j vulnerability), we will see a lot more of the same thing – one bug impacting millions of different things. So, expect future unique vulnerabilities to impact more things…more of the things you have in your environment.
Second, if you did not already know this: the vast majority of publicly reported exploited vulnerabilities are zero-days, where the vulnerability is being actively exploited by a real-world adversary before the general public knows about it, before the vendor knows about it, and/or before a vendor patch is available. That has been true since about 2024. Today, over 67% of all publicly announced vulnerabilities are zero-days, and climbing. See the excellent chart from ZeroDayClock below.
It used to be that the zero-day percentage of exploited vulnerabilities was so low, and even far less exploited than regular vulnerabilities, that the security experts (including me) said you could almost ignore them. No more.
Most publicly announced exploited vulnerabilities are zero-days.
AI is finding zero-days that humans are not finding, and pretty soon will be finding more than humans. We have seen vendor after vendor report that AI found vulnerabilities, including zero-days, that they did not find otherwise. They found those bugs and zero-days in code bases that had been thoroughly analyzed by humans and pre-AI tools. AI is only going to get better at finding vulnerabilities and zero-days. It is already happening…right now!
Many notable vulnerability finders are claiming their jobs are over! I am not sure how true that is, any more than it is not true for programmers. AI will be a tool used by programmers and vulnerability finders to be more efficient and effective. But, yeah, AI is going to give bug hunters a run for their money. I would not want to have a job in transcription, be a radiologist reading X-rays, or now add to that list, a bug hunter.
But when I was a professional bug hunter (for over 20 years), my own personal experience was that the bug hunting tools found about half the vulnerabilities, and I found the other half. Oftentimes, I would see a weird result from the automated tool, claiming it found something that it hadn’t, but in exploring that false-positive finding, I would find something even better.
I hear the AI-enabled tools are significantly increasing their autonomous effectiveness, but I am not sure that means the end of all human-created bug finders. I think humanity and the way we think is vastly overrated. But I do think AI will kill all the average and below-average bug hunters who were mostly just relying on the tools already.
In any case, because of AI, we will see more security vulnerabilities found and more zero-days.
Prepare for a drastic increase in the number of publicly known unique vulnerabilities. We are talking multiple hundreds of new ones a day. Most of them will be zero-days, more of them will be critical, and more will be found and exploited faster.
This all means you need to get your patch management down to an exact, quick science. You no longer have weeks to patch. It is days, and even soon, closer to minutes (more on that in another forthcoming article).
Unpatched software and firmware vulnerabilities are involved in at least a third of successful compromises (only behind social engineering as a root hacking cause). That percentage is likely rising. Your vulnerability defenses need to increase in speed and efficiency.
One day, we will look back on the fact that we “only” had 48,000 exploitable vulnerabilities in a given year to worry about as the good, ole glory days. Well, until the AI vibe coding starts making far more secure code. But we are nowhere close at the moment.
