Software vulnerability: Definition, modelling, and practical evaluation for e-mail transfer software

This paper proposes a method of assessing software vulnerability quantitatively. By expanding the concept of the IPO (input–program–output) model, we first define the software vulnerability and construct a stochastic model. Then we evaluate the software vulnerability of the sendmail system by analyzing the actual security-hole data, which were collected from its release note. Also we show the relationship between the estimated software reliability and vulnerability of the analyzed system.