Preprint + dataset: 14 years of the public Qubes security record, quantified

6 views
Skip to first unread message

Alfonso De Gregorio

unread,
Jul 17, 2026, 3:51:51 AM (yesterday) Jul 17
to qubes...@googlegroups.com
Hello all,

I've posted a preprint and a replication dataset analyzing the
project's public advisory history, and wanted to introduce it here.

"Qubes OS Security in the Public Record" measures the full run of 109
Qubes Security Bulletins (2011–2025) plus the Qubes-maintained XSA
tracker. One scoping caveat up front: it measures the *public advisory
record*, not latent vulnerability incidence or realized compromise –
counts reflect disclosure and research attention, not only code
quality.

You know your codebase's maturity better than any external count can;
the aim here is a quantitative, reproducible version of that picture,
plus the tooling to challenge it. In brief:

- 87 of 109 QSBs (79.8%, CI 71.3–86.3) trace to Xen,
CPU/microarchitectural, or other upstream components rather than
Qubes-core logic – stable across all four attribution views, and
echoed by the tracker (113/464 XSAs affecting Qubes). Qubes-core
issues do occur and some are serious, but they stay a clear minority,
which is what you'd expect when isolation concentrates risk in a few
upstream anchors.
- One dominant regime shift (2015Q1, four independent methods); the
post-2018 rate is statistically flat – a stable plateau, not growth
(the paper stops short of an exhaustion claim).
- The plateau isn't homogeneous: all 23 transient-execution/microcode
advisories are post-2018 (31.5% of bulletins since), tracking external
microarchitectural research waves rather than Qubes-core discipline.
- Negative result: S-shaped discovery models are the best descriptive
fit but beat no naive baseline at short-horizon forecasting
(Diebold–Mariano, p = 0.978 on the primary series).

* Preprint: https://arxiv.org/abs/2607.14587
* Dataset (CC-BY-4.0): https://doi.org/10.5281/zenodo.21360033
* Project summary: https://www.pwnshow.com/investigations/INV-006/

The bundle reproduces every figure and lets you substitute your own
attribution rules. I'd especially value the project's view on two
judgment calls that move the numbers: the title-driven attribution
codebook (it passed a 30-QSB manual audit at 96.7% accuracy, but your
assignment intuitions matter more than mine) and the XSA relevance
policy (including the host-DoS exclusion).

For disclosure: in my other life, I direct Zeronomi (a
vulnerability-acquisition market); this work was done independently
while wearing my Pwnshow hat, unfunded, and on public sources only.

With my thanks and kind regards,
Alfonso

Marek Marczykowski-Górecki

unread,
Jul 17, 2026, 6:29:13 AM (yesterday) Jul 17
to Alfonso De Gregorio, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, Jul 17, 2026 at 07:25:58AM +0000, Alfonso De Gregorio wrote:
> Hello all,
>
> I've posted a preprint and a replication dataset analyzing the
> project's public advisory history, and wanted to introduce it here.
>
> "Qubes OS Security in the Public Record" measures the full run of 109
> Qubes Security Bulletins (2011–2025) plus the Qubes-maintained XSA
> tracker. One scoping caveat up front: it measures the *public advisory
> record*, not latent vulnerability incidence or realized compromise –
> counts reflect disclosure and research attention, not only code
> quality.

Thanks for sharing, interesting paper :)

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmpaA/EACgkQ24/THMrX
1yyNdgf/Xv8W24tN+vHsrtj5ufAMSquGDARFP7owP6Umpc17BoDjx2W3SBGh/c5Z
R2OXaAcyyDtEh5q4r6liY1VdcKG6HgwXoM/mXK4mMKSI7YCXs6BGgR3Jb1E6+lda
qYDH5JLc+gYvBtOS/+KcSfaPvj57yuw/AYIxyHW6WGnKLDZYMBO73lVrmJ3IH/01
WnUNxk649Tm4uP4vV32j8ck1azjKQtzqokfPy3Dgug88oxE6ziisvvxLeZGIMM6b
sXZvl0V0AGZXozE8nYIA2Fn8Y7tmyJjFa6lgfzQ725eXVHsYZpcyb0rjLjtCo3t7
KiJ5QFdbAJqi3A3ZQMbtmQofQXLUWA==
=HNNg
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages