Hasty Briefsbeta

Bilingual

Qubes OS Security in the Public Record

6 hours ago
  • #Qubes OS
  • #Security Measurement
  • #Vulnerability Analysis
  • Analyzes 109 public Qubes Security Bulletins (QSBs) from 2011 to 2025, along with Xen Security Advisories (XSAs), focusing on the public advisory record.
  • Finds persistent upstream dependence: 79.8% of QSBs are attributable to Xen, CPU/microarchitecture, or other upstream components, not Qubes-core logic.
  • Identifies 2015Q1 as a dominant break point in quarterly advisory series; post-2018 annual disclosure rates are statistically flat.
  • Uses methods like change-point analysis, severity-proxy weighting, and audits to assess vulnerability discovery models, showing stable Poisson inferences.
  • Concludes the Qubes public advisory record is stable but not quiet, with disclosure activity plateauing at a higher level than early years, concentrating on upstream trust anchors.