Qubes OS Security in the Public Record
6 hours ago
- #Qubes OS
- #Security Measurement
- #Vulnerability Analysis
- Analyzes 109 public Qubes Security Bulletins (QSBs) from 2011 to 2025, along with Xen Security Advisories (XSAs), focusing on the public advisory record.
- Finds persistent upstream dependence: 79.8% of QSBs are attributable to Xen, CPU/microarchitecture, or other upstream components, not Qubes-core logic.
- Identifies 2015Q1 as a dominant break point in quarterly advisory series; post-2018 annual disclosure rates are statistically flat.
- Uses methods like change-point analysis, severity-proxy weighting, and audits to assess vulnerability discovery models, showing stable Poisson inferences.
- Concludes the Qubes public advisory record is stable but not quiet, with disclosure activity plateauing at a higher level than early years, concentrating on upstream trust anchors.