I think many will remember Log4Shell as a security event. It has become a scale for the badness of a security event. “It’s an issue, but not the next Log4Shell” is a sentence I throw around from time to time.

A few days ago Josh Bressers published an article about the trends in CVE and how “it’ll not go back to normal”. His reason for it is simple: CVE grows exponentially right now. The number of CVE ids have doubled in the past 2 years.

So today when thinking about this again, I thought: If CVE grows exponentially and Log4Shell was a once in a decade event, does this mean the mean time between these global scale security events also shrinks exponentially?

If that would be true, it would mean that we have 3-4 of these events until 2030. One due around 2026, another one 2028, 2029 and by 2030 it would be two per year.

I have no data to back up this claim, so for now it’s just a thought.

Something that I think speaks for the thesis is that we have 2024 and the xz backdoor setup failed. This could have resulted in such an event down the line. And one could even argue, that it was such a event on small scale because it was caught early on.

Something that speaks against the thesis: Despite all growth, the core packages of ecosystems are not doubling every two years from my understanding. But they are improved over time, the longer a core package hangs around, the more stable it should be. Given it doesn’t change in scope of functionality. Thankfully a lot of core packages don’t.

Further as an industry there are a lot of efforts in improving the security of critical packages on their way. If they will be enough for this timeline to not take place, only time will tell.

I don’t exactly know, what to make out of this thought, but I’ll just put it out there I guess we will talk in a few years again to see if it has proven to be correct or utter nonsense.