Android logo

With 2016 officially over, we can crown Android as 2016's product with most vulnerabilities, and Oracle as the vendor with the most security bugs.

This statistic is based on the number of vulnerabilities reported by security researchers in the past year, bugs which have received a CVE identifier.

Android is 2016's most vulnerable product

According to CVE Details, a website that aggregates historical data on security bugs that have received a CVE identifier, during 2016, security researchers have discovered and reported 523 security bugs in Google's Android OS, winner by far of this "award."

Second place in this ranking went to Debian Linux with 319 vulnerabilities, while third place went to Ubuntu Linux with 278 CVEs.

The rest of the top 10 is made up by Adobe Flash Player (266 bugs), openSUSE Leap (259 bugs), openSUSE (228 bugs), Adobe Acrobat DC (227 bugs), Adobe Acrobat Reader DC (227 bugs), Adobe Acrobat (224 bugs), and the Linux Kernel (216 bugs).

2015's winner, Mac OS X came only eleventh this year, with 215 security bugs, compared to last year, when researchers found 444 bugs in Apple's main OS.

Top 20 products

Past winners of this "prestigious award" include:

  • Apple Mac OS X in 2015 (444 bugs)
  • Internet Explorer in 2014 (243 bugs)
  • The Linux Kernel in 2013 (189 bugs)
  • Google Chrome in 2012 (249 bugs)
  • Google Chrome in 2011 (266 bugs)
  • Google Chrome in 2010 (152 bugs)
  • Mozilla Firefox in 2009 (126 bugs)
  • Mozilla Firefox tied with Apple OS X in 2008 (96 bugs)
  • PHP in 2007 (114 bugs)
  • Apple OS X in 2006 (106 bugs)
  • Linux Kernel in 2005 (133 bugs)
  • Internet Explorer in 2004 (59 bugs)
  • Solaris OS in 2003 (44 bugs)
  • Internet Explorer in 2002 (54 bugs)
  • RedHat Linux in 2001 (47 bugs)
  • RedHat Linux again in 2000 (47 bugs)
  • Windows NT in 1999 (64 bugs)

Oracle is 2016's vendor with most security bugs

When it comes to software vendors, the company for which the largest number of new CVE numbers have been assigned was Oracle, with a whopping 798 CVEs.

Most of these security bugs have been reported in Oracle products such as MySQL, Solaris, and its custom Linux OS version.

Second to Oracle was Google, with 698 security bugs, with the most being reported in products such as Android and Chrome. Third was Adobe with 548 bugs, with the vast majority of bugs reported in Flash Player and different Reader/Acrobat variants.

The rest of the top 10 is made up of Microsoft (492 bugs), Novell (394), IBM (382 bugs), Cisco (353 bugs), Apple (324 bugs), Debian Project (320 bugs), and Canonical (280 bugs).

Top 20 vendors

Past vendors that have topped this unfortunate chart include:

  • Apple in 2015 (708 bugs)
  • IBM in 2014 (455 bugs)
  • Oracle in 2013 (496 bugs)
  • Oracle in 2012 (380 bugs)
  • Google in 2011 (295 bugs)
  • Microsoft in 2010 (317 bugs)
  • Microsoft in 2009 (236 bugs)
  • Microsoft in 2008 (236 bugs)
  • Microsoft in 2007 (255 bugs)
  • Microsoft in 2006 (267 bugs)
  • Microsoft in 2005 (166 bugs)
  • Microsoft in 2004 (148 bugs)
  • Microsoft in 2003 (103 bugs)
  • Microsoft in 2002 (243 bugs)
  • Microsoft in 2001 (173 bugs)
  • Microsoft in 2000 (143 bugs)
  • Microsoft in 1999 (171 bugs)