Part 2 of our kernel vulnerability analysis. Part 1 covered bug lifetimes and VulnBERT. This post digs into the human side: who introduces vulnerabilities, when they do it, and what we can do about it.
In Part 1, I analyzed 125,000 kernel bugs and found they hide for 2.1 years on average, with race conditions surviving over twice as long as other bug types. I built VulnBERT to catch them at commit time.
But that analysis treated bugs as abstract data points. This time I asked different questions: Who writes the buggy code? When do they write it? And who are the super-reviewers who catch bugs faster than anyone else?
The answers surprised me. Weekend commits are actually less likely to introduce vulnerabilities, but they take 45% longer to fix. Intel contributes the most bugs because they contribute the most code. And 117 "super-reviewers" catch bugs nearly twice as fast as everyone else.
The findings point toward concrete process improvements that could reduce average bug lifetime by 35%.
Key findings at a glance 117 Super-reviewers who catch bugs 47% faster than average 0.88 years Self-fix lifetime (vs 2.59 years for cross-fixes) -8% Weekend commits are LESS likely to be vulnerable +45% But weekend bugs take longer to fix (review coverage) 5.0 years Average lifetime for race conditions (2x deadlocks) ~35% Estimated reduction possible with process improvements
The Super-Reviewers
Not all bug-fixers are created equal. When I ranked everyone who had fixed at least 50 bugs, a clear pattern emerged: some people consistently find bugs faster than others.
I defined a super-reviewer as someone who:
Has fixed 100+ bugs
... continue reading