Abstract
This paper addresses feasibility of vulnerabilities present in the software. Vulnerabilities present in such software represent significant security risks. For Windows 98 and Windows NT 4.0, we present plots for cumulative numbers of vulnerabilities found. A time-based model for the total vulnerabilities discovered is proposed and is fitted to the data for two operating systems. We introduce a measure termed equivalent effort and propose an alternative model which is analogous to the software reliability growth models. We present the data on known defect densities for the two operating systems and discuss the relation between densities of vulnerabilities and the general defects. This relationship could lead us to potential ways of estimating the number of vulnerabilities in future.