angler-fishThe Vulnerability History Project

Projects We Study

We carefully choose which projects to study based on the following criteria:

  • Does this project keep good records? Specifically: do they faithfully disclose vulnerabilities? Can we trace the vulnerabilities to their version control fix commits?
  • Is the project large or meaningful enough to have it history be useful to professionals, students, and academics?
  • Does pursuing this data enable us to help draw some meaningful conclusions, potentially via statistics? This means broadening our scope via programming languages, technologies, open source models, etc.

Chromium Browser

The Chromium Browser project is the open source project behind Google Chrome. Throughout the VHP, when we refer to Chromium, we are referring to the Browser. This study does not include ChromeOS.

VHP has data on 1498 vulnerabilities in Chromium.

These vulnerabilities have been reported and confirmed by the Chromium team. Chromium typically releases this data on their [release blog](


"Django makes it easier to build better Web apps more quickly and with less code." -

VHP has data on 100 vulnerabilities in Django.

These vulnerabilities are reported by the Django development team [on their news feed](


"FFmpeg is the leading multimedia framework, able to decode, encode, transcode, mux, demux, stream, filter and play pretty much anything that humans and machines have created. It supports the most obscure ancient formats up to the cutting edge. No matter if they were designed by some standards committee, the community or a corporation. It is also highly portable: FFmpeg compiles, runs, and passes our testing infrastructure FATE across Linux, Mac OS X, Microsoft Windows, the BSDs, Solaris, etc. under a wide variety of build environments, machine architectures, and configurations." -

VHP has data on 287 vulnerabilities in FFmpeg.

These vulnerabilities are reported by the FFmpeg development team [on their site](

Apache HTTPD Web Server

Apache HTTPD is the most popular web server in the world.

VHP has data on 178 vulnerabilities in HTTPD.

These vulnerabilities are reported by the Apache HTTPD team [on their website](

Linux Kernel

The Linux kernel is the basis for all Linux operating system distributions. From their website: "Linux is a clone of the operating system Unix, written from scratch by Linus Torvalds with assistance from a loosely-knit team of hackers across the Net."

VHP has data on 2507 vulnerabilities in Linux Kernel.

These vulnerabilities have been reported and confirmed by the Linux development team. Special thanks to the folks at the [Linux Kernel CVE]( for tracking this data.

Apache Struts

Apache Struts is an MVC web application framework in Java

VHP has data on 52 vulnerabilities in Struts.

These vulnerabilities are reported by the development team [on their website](


"systemd is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system. systemd provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. systemd supports SysV and LSB init scripts and works as a replacement for sysvinit." -systemd website

VHP has data on 32 vulnerabilities in systemd.

These vulnerabilities are collected from the National Vulnerabilities Database, acknowledged by the developers.

Apache Tomcat

"The Apache Tomcat® software is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies" -

VHP has data on 188 vulnerabilities in Tomcat.

These vulnerabilities are reported by the Apache Tomcat team [on their website](