About vulnerability "half-life":
I still have to dig into the works referenced by the recent Google post[1], but it the data is obviously based on known vulns.
https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.htmlBecause of this I think the conclusion shouldn't be that bugs naturally die out ("half-life"). Rather, if we have a fixed set of methods to discover vulns, we will eventually find everything _we currently can_ in a fixed code base, and we will again find some in new code.
I think Orange Tsai's latest work on Apache modules is a great demonstration of how a new approach can result in a bunch of CVE's. But the "realization" about format strings also comes to mind. How much "old" code had to be fixed because of that?
What I'd like to see is some data on memory-safe languages blocking otherwise vulnerable code paths, or vulns getting discovered during integration with safe languages.