"Who discovers the most security vulnerabilities? That’s one of the more frequent questions I’ve encountered over the past few years. Funnily enough there’s usually a high correlation between the timing of my being asked and the latest marketing blitzkrieg customers may have encountered (not from IBM of course). It seems that every major (and not-so-major) security vendor goes though a phase of extolling the virtues of discovering their own subset of global security vulnerabilities – which further muddies the water.

So, who’s discovering the most security vulnerabilities? You can take a guess, but you’re probably wrong.

Since its conception, X-Force has been tasked with recording and analyzing all publicly disclosed security vulnerabilities. With around 40,000 disclosures catalogued thus far, the X-Force vulnerability database contains the wealth of well over a decade of threat analysis and plays a key role X-Force’s ability to understand the evolving threat landscape.

Note: If you get a chance to browse through the X-Force 2008 Trend & Risk Report (all 106 pages of it), you’ll get a better appreciation of the value X-Force extracts from the historical data.

One thing you won’t find in the report is the answer to the question though.

By way of history, a handful of years ago several large security vendors were jockeying for first place on the vulnerability discovery podium. With all the antics over which vendor was discovering the "most" (measured by values such as volume, criticality, "wormability" or even "coolness"), many security customers were missing the big picture – commercial vulnerability research groups only really discover a tiny fraction of the badness out there by themselves.

Things have changed a little since then – largely due to concerted efforts of the X-Force – and customers now have a much better grasp of the true nature of vulnerability discovery and its scale. With that in mind, I thought it was about time I shed a little light as to who the “shining stars” of vulnerability discovery are (or were)."

While fr0gman didn't get the top spot, he wins most elite handle in that short list.

Read more: http://blogs.iss.net/archive/2008Top10VulnResearc.html