NVD and Exploit-DB are the de facto standard databases used for research on vulnerabilities, and the CVSS score is the standard measure for risk. On open question is whether such databases and scores are actually representative of attacks found in the wild. To address this question we have constructed a database (EKITS) based on the vulnerabilities currently used in exploit kits from the black market and extracted another database of vulnerabilities from Symantec's Threat Database (SYM).

Having a precise vulnerability discovery model (VDM) would provide a useful quantitative insight to assess software secu- rity. Thus far, several models have been proposed with some evidence supporting their goodness-of-t. In this work we describe an independent validation of the applicability of six existing VDMs in seventeen releases of the three popular browsers Firefox, Google Chrome and In- ternet Explorer. We have collected ve dierent kinds of data sets based on dierent denitions of a vulnerability. We introduce two quantitative metrics, goodness-of-t en-

Some of the current world’s biggest problems revolve around security issues. This has raised recent interest in resource allocation models to manage security threats, from terrorism to organized crime through money laundering. One of those approaches is adversarial risk analysis, which aims at dealing with decision making problems with intelligent opponents and

Recent large scale terrorist attacks have raised interest in models for resource allocation against terrorist threats. The unifying theme in this area is the need to develop methods for the analysis of allocation decisions when risks stem from the intentional actions of intelligent adversaries. Most approaches to these problems have a game theoretic flavor although there are also several interesting decision analytic based proposals.