Google also makes claims[1] corroborating this ratio in their own work. It's an endless ammo supply for the memory safety argument. (The linked story doesn't argue otherwise, despite the headline.)
That is correct. Measurements including all vulnerabilities have memory safety ones somewhere in the ballpark of 15%. A pretty extreme minority overall.
This doesn’t gel with the hive mind though, so you probably won’t see it pop up terribly often.
Then you get headlines like this: "Microsoft: 70 percent of all security bugs are memory safety issues", which is flat out wrong and contradicts itself the first line of the article.
The HN post that we are commenting on even says "To me, the fact 70% of security vulnerabilities arise from a lack of memory safety is not the reason that memory safety is important." which is also false and certainly needs clarification.
Perhaps the correct statement is something like "70% of security vulnerabilities in large projects written in C or C++ are memory safety issues", with the understanding that there are both a lot of software that are and aren't subject to that statistic.
This is only true in certain contexts isn’t it?
I seem to recall reading recently that some very high percentage of web security holes are caused by insecure exposed functions.