300 reasons why you shouldn’t switch browsers
There are many reasons why you might consider switching to a browser other than Google Chrome. But the number of security vulnerabilities is not unique. Here’s why.
Google’s security princess speaks out on ‘confusing’ CVE count reports
Parisa Tabriz has three eponymous professions: security princess at Google, Project Zero ‘den mom’ and browser boss at Google Chrome. Tabriz, more formally, Director of Engineering at Google, knows a thing or two about Chrome vulnerabilities, as you might imagine.
That’s why it didn’t surprise me at all to read the security princess’s short Twitter thread that decried the “confusion” about what the vulnerability really means. The particular confusion concerns some of the reports that seem to correlate the number of disclosed vulnerabilities with an insecure product.
This tweet thread referred to “less than sophisticated research” on Chrome’s security that was published this week. The report states that “the world’s most popular browser, Google Chrome, also has the most reported vulnerabilities, with 303 vulnerabilities discovered to date.” This is based on the latest figures found in the VulnDB vulnerability database. The report also covered the number of vulnerabilities for competing browsers.
Does a high number of vulnerability reports equate to an insecure product?
So far, so good. However, all it takes is a bit of research to find a myriad of posts claiming that Chrome is the most vulnerable browser or similar. For anyone with a security edge, equating the number of disclosed and patched vulnerabilities to being “more vulnerable” than a product with less is, frankly, nonsense. I should point out at this point that neither the original report nor the vulnerability database it was based on made this incorrect assumption.
Back to Google’s browser boss, then. “Some journalists seem, unfortunately, confused as to what CVE *counts* really means. The answer: not much.” CVEs are the Common Vulnerabilities and Exposures system by which vulnerabilities are referenced and rated based on their severity.
Tabriz’s argument was that a number of media reports suggested that a browser with more vulnerabilities than its competitors was therefore less secure, even when many of those competitors were built around the same chromium engine.
Google is one of the best security specialists in the industry
I agree with Security Princess, the whole argument is really weird. Check out my report, also published today, which examines a series of Google video documentaries giving insight into the internal security teams there. Google has some truly amazing security specialists, some of the best in the business, you might say, and the fact that vulnerabilities are found and patched reinforces that belief. Many vulnerabilities are found by these internal teams, others by hackers who are part of the Google Bug Hunters platform. With over $35,000,000 paid out in bug bounties to 2,640 bug hunters, it would be hard to argue that the system isn’t working.
“More bugs fixed year after year is a good thing,” says Tabriz, “Bugs exist in every piece of software, so if you think fewer bug fixes equals more security, a lot of my team members would like have a word.”
As my Forbes colleague Gordon Kelly says, “don’t let the numbers scare you off.”