However, there is a fundamental problem with the zero CVEs concept in practice. Namely, the only way to get close to zero CVEs at scale is to always upgrade to the latest upstream code. This gets you the latest security patches, but also brings with it new features, new bugs, new regressions, new incompatibilities, configuration changes, etc. In other words, we have to recognize that any code change can further introduce new vulnerabilities (or instabilities) that may be worse than the vulnerability corrected.
The issue is that not every single software flaw is a threat (or a serious threat) to security, especially given the rising tide of CVEs. For example, there were about 30,000 CVEs recorded in 2023, but nearly 40,000 in 2024.
There are many variables feeding this CVE inflation. The list includes increases in the number of programmers writing code, AI code generators helping them, the sheer amount of new code being written, an increase in the complexity of that code, and incentives for both security researchers as well as hackers. For example, students and security researchers are incentivized to find and report CVEs by financial, academic, and personal-brand-based rewards. Worse, with the AI wars coming, we can expect discovery of new CVEs to increase rapidly. An arms race is coming where AI will assist in discovery of new CVEs as well as patching them. The ultimate outcome could be absurd code churn. Some upstream projects even refuse to accept bugs found by AI, effectively creating a denial of service attack on developers.
