Hello all,
I've posted a preprint and a replication dataset analyzing the
project's public advisory history, and wanted to introduce it here.
"Qubes OS Security in the Public Record" measures the full run of 109
Qubes Security Bulletins (2011–2025) plus the Qubes-maintained XSA
tracker. One scoping caveat up front: it measures the *public advisory
record*, not latent vulnerability incidence or realized compromise –
counts reflect disclosure and research attention, not only code
quality.
You know your codebase's maturity better than any external count can;
the aim here is a quantitative, reproducible version of that picture,
plus the tooling to challenge it. In brief:
- 87 of 109 QSBs (79.8%, CI 71.3–86.3) trace to Xen,
CPU/microarchitectural, or other upstream components rather than
Qubes-core logic – stable across all four attribution views, and
echoed by the tracker (113/464 XSAs affecting Qubes). Qubes-core
issues do occur and some are serious, but they stay a clear minority,
which is what you'd expect when isolation concentrates risk in a few
upstream anchors.
- One dominant regime shift (2015Q1, four independent methods); the
post-2018 rate is statistically flat – a stable plateau, not growth
(the paper stops short of an exhaustion claim).
- The plateau isn't homogeneous: all 23 transient-execution/microcode
advisories are post-2018 (31.5% of bulletins since), tracking external
microarchitectural research waves rather than Qubes-core discipline.
- Negative result: S-shaped discovery models are the best descriptive
fit but beat no naive baseline at short-horizon forecasting
(Diebold–Mariano, p = 0.978 on the primary series).
* Preprint:
https://arxiv.org/abs/2607.14587
* Dataset (CC-BY-4.0):
https://doi.org/10.5281/zenodo.21360033
* Project summary:
https://www.pwnshow.com/investigations/INV-006/
The bundle reproduces every figure and lets you substitute your own
attribution rules. I'd especially value the project's view on two
judgment calls that move the numbers: the title-driven attribution
codebook (it passed a 30-QSB manual audit at 96.7% accuracy, but your
assignment intuitions matter more than mine) and the XSA relevance
policy (including the host-DoS exclusion).
For disclosure: in my other life, I direct Zeronomi (a
vulnerability-acquisition market); this work was done independently
while wearing my Pwnshow hat, unfunded, and on public sources only.
With my thanks and kind regards,
Alfonso