Cloud Platform
Contact us
Asset Management
Vulnerability & Configuration Management
Risk Remediation
Threat Detection & Response
  • Overview
  • Platform Apps

  • Qualys Endpoint Security

    Advanced endpoint threat protection, improved threat context, and alert prioritization

  • Context XDR

    Extend detection and response beyond the endpoint to the enterprise

Cloud Security

Qualys CTO Gerhard Eschelbeck Unveils Laws of Vulnerabilities at Black Hat Briefings

Research of the Largest Base of Real-World Vulnerability Data Reveals Half-Life, Prevalence, Persistence, and Exploitation Trends

Black Hat, Las Vegas, NV — July 30, 2003 — Gerhard Eschelbeck, CTO of Qualys™, Inc., the market leader of on-demand security audits and vulnerability management, today unveiled Laws of Vulnerabilities derived from the industry’s largest vulnerability dataset. The Laws reveal vulnerability half-life, prevalence, persistence, and exploitation trends. These trends were drawn from statistical analysis of more than 1.24 million vulnerabilities collected by 1.5 million scans during an 18 month period.

The laws derived from this research are:

  1. Half-Life: The half-life of critical vulnerabilities is 30 days and doubles with lowering degrees of severity
  2. Prevalence: 50% of the most prevalent and critical vulnerabilities are being replaced by new vulnerabilities on an annual basis
  3. Persistence: The lifespan of some vulnerabilities is unlimited
  4. Exploitation: 80% of vulnerability exploits are available within 60 days after the vulnerability release

The Laws of Vulnerabilities were discussed today at the Black Hat Briefings by apanel of industry experts, including Mary Ann Davidson, Chief Security Officer of Oracle; Philip Zimmermann, Creator of Pretty Good Privacy (PGP); Black Hat Founder Jeff Moss; Simple Nomad, Founder of NMRC; JD Glaser, President & CEO of NT OBJECTives, Inc.; and Gerhard. Eschelbeck, CTO of Qualys. The panel was moderated by well-known Black Hat participant, Richard Thieme.

“The security industry is flooded with constant, sometimes daily, warnings of new vulnerabilities, and they vary drastically in their degree of potential damage,” said Gerhard Eschelbeck, Qualys CTO & Vice President of Engineering, and author of the Laws of Vulnerabilities. “Our job is to help organizations understand the broader trends, the potential for damage and the priority of vulnerabilities, so they can make more effective and more immediate decisions to protect their networks. With research like this, we can provide the industry with a statistical look at network threat trends in real-time.”

About Qualys

With more than 2,000 subscribers ranging from small businesses to multinational corporations, Qualys has become the leader in on demand vulnerability management and policy compliance. The company allows security managers to strengthen the security of their networks effectively, conduct automated security audits and ensure compliance with internal policies and external regulations. Qualys’ on demand technology offers customers significant economic advantages, requiring no capital outlay or infrastructure to deploy and manage. Its distributed scanning capabilities and unprecedented scalability make it ideal for large, distributed organisations. Hundreds of large companies have deployed Qualys on a global scale, including AXA, DuPont, Hershey Foods, ICI Ltd, Novartis, Sodexho, Standard Chartered Bank and many others. Qualys is headquartered in Redwood City, California, with European offices in France, Germany and the U.K., and Asian representatives in Japan, Singapore, Australia, Korea and the Republic of China. For more information, please visit

Qualys, the Qualys logo and QualysGuard are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies.

Media Contact:
Tami Casey