HN Reader

Ask HN: The government of my country blocked VPN access. What should I use?

914 points by rickybule 14h ago 514 comments

Ask HN: What to learn for math for modeling?

28 points by shivajikobardan 1d ago 13 comments

Ask HN: What to do when you suspect your interview is with a state operative?

15 points by puppycodes 6h ago 1 comments

Best up-to-date guides on Vibe Coding

2 points by grigy 3h ago 0 comments

Ask HN: Why hasn't x86 caught up with Apple M series?

432 points by stephenheron 3d ago 616 comments

Staying up to date on the best AI dev workflow?

4 points by peapod91 5h ago 0 comments

Ask HN: How much better can the LLMs become assuming no AGI

2 points by yalogin 7h ago 2 comments

Ask HN: Anyone working on bringing software back from US clouds?

8 points by sam_lowry_ 17h ago 5 comments

Ask HN: Services for Shutting Down a Startup?

2 points by Felicia_Juhn 10h ago 4 comments

Ask HN: How can I recover and run my old mobile game from the 2010s?

56 points by diasks2 4d ago 46 comments

Ask HN: Where can I see a live octopus in Maine?

7 points by Octopus88 11h ago 1 comments

Ask HN: How to teach a 4 year old to code?

5 points by kamphey 7h ago 8 comments

CompactifAI Inference API

3 points by Compactifai 13h ago 0 comments

Ask HN: Did modern AI's coding abilities make you lose interest in programming?

30 points by amichail 1d ago 42 comments

Ask HN: What are the best Google alternatives in 2025?

15 points by eel 1d ago 4 comments

Anthropick.com Redirects to ChatGPT

13 points by nerdcortex 1d ago 2 comments

Ask HN: GitHub Copilot down?

58 points by thecopy 1d ago 21 comments

Ask HN: What to Do with Old iPads?

30 points by owenmakes 2d ago 19 comments

Petition to stop Google from restricting sideloading and FOSS apps

273 points by nativeforks 20h ago 181 comments

Ask HN: Best codebases to study to learn software design?

103 points by pixelworm 5d ago 90 comments

Units of Economics of LLMs. Reply to Ed Zitron's "AI Is a Money Trap"

6 points by tudorizer 2d ago 8 comments

Ask HN: Does sentience put stress on the brain?

7 points by trinsic2 2d ago 7 comments

Ask HN: Is there a temp phone number like temp email?

9 points by piratesAndSons 2d ago 11 comments

Ask HN: Windows 11 Update Fail – Linux Distro Suggestions?

4 points by giardini 13h ago 7 comments

Ask HN: How to Learn to Build Agentic AI Systems (Like Claude Code)

8 points by hhimanshu 1d ago 4 comments

Out of curiosity: what kind of people use this "forum" (I mean Hacker News)?

21 points by adinhitlore 2d ago 28 comments

Ask HN: Why are so many services rejecting Google Voice numbers for signups?

13 points by electric_muse 2d ago 19 comments

Ask HN: What measures are you taking to stop AI crawlers?

6 points by kjok 1d ago 14 comments

Ask HN: Is backlink trading still a problem worth solving?

3 points by sathishn 1d ago 2 comments

Ask HN: What should I use to run React Native tests on a device?

4 points by dboreham 2d ago 0 comments

Stop squashing your commits. You're squashing your AI too

4 points by jannesblobel 2d ago 10 comments

Ask HN: Are AI filters becoming stricter than society itself?

29 points by tsevis 5d ago 16 comments

Ask HN: I just abandoned my PyCharm subscription, what should I use now?

23 points by jmward01 4d ago 23 comments

Ask HN: Any experienced devs who use AI extensively in their work?

3 points by atleastoptimal 2d ago 4 comments

Ask HN: How do you find early stage startups to join

44 points by gavino 6d ago 23 comments

Stop Using Vulnerability Counts to Measure Software Security

13 zdw 4 8/28/2025, 9:29:47 PM cacm.acm.org ↗

Comments (4)

notepad0x90 · 3h ago
Totally agree with this take. That said, you must account for the size of the codebase and associated attack surfaces and compare that with frequency of a particular bug class consistently popping up on every CVE.

In other words, you shouldn't use vulnerability counts, but you can discern patterns of vulnerability to intuit something about the nature of the codebase.

For example, RCE vulnerabilities on Chrome, especially under V8 while not very common they happen commonly enough to suspect that maybe there is some code quality issue. However, if you look at the sheer size of V8, and how much scrutiny and research it undergoes, it is surprising there aren't even more critical vulns being found all the time. JIT is inherently a risky endeavor.

mouse_ · 9h ago
There is no objective way to measure the security of an inherently insecure system.

Assume breach.

dentemple · 3h ago
Okay, but my boss still demands I give him a metric. I'm not allowed to tell him, "Just trust me bro" when I'm asked how much our security has improved over the past sprint. I'm supposed to give hard numbers, and the OP at least offers an alternative for that.
DANmode · 2h ago
Pick something that resembles a vuln→patch interval,

not just a context-less number that means they're popular, audited, or reviewing their OWN code all the time.

Instances where 0-days can't be used in isolation are a perfect example of where nontechnical people absolutely need to "just trust" someone to triage, and perform threat modeling for them.