It’s hard to find a software engineer who doesn’t use curl. This little tool is written by Daniel Stenberg and this guy likes to blog about software and collect and visualize uncomfortable amounts of data. In his recent post, he analyzes the data on security vulnerabilities in curl, and the results are pretty interesting.

What caught my attention is the average age of security vulnerabilities: it’s more than seven years. This got me thinking about the popular argument which states that we shouldn’t update software outright and instead wait for some time just to make sure no security issues will be found. Based on curl data, waiting doesn’t make any sense. When we update our programs, we indeed risk getting new vulnerabilities. The thing is: no one will know about them for a long time, but timely applied security updates help us to make sure that our software are free of known vulnerabilities, which is far more important.