Study: 80% of Qubes OS Security Bulletins Trace to Xen, CPU
Analysis of 109 Qubes Security Bulletins shows 79.8% trace to Xen or CPU issues, not Qubes code, with disclosure rates plateauing since 2018.
A longitudinal analysis of 109 public Qubes Security Bulletins (QSBs, 2011-2025) alongside the official Xen Security Advisory (XSA) tracker finds that Qubes OS's public security record remains dominated by upstream dependencies. Under primary attribution, 79.8% of QSBs (87 of 109) trace back to Xen, CPU/microarchitectural issues, or other upstream components rather than Qubes-specific code, while 113 of 464 tracked XSAs affect Qubes.
Statistical change-point analysis identifies 2015Q1 as the dominant break in quarterly disclosure activity, with annual rates plateauing rather than declining after 2018. Poisson and negative-binomial checks confirm the pattern holds under dispersion diagnostics, and a stratified audit validates the component-attribution methodology used to classify bulletins.
The paper also evaluates vulnerability discovery models (VDMs): S-shaped curves fit historical data descriptively but fail to significantly beat a simple rolling-mean baseline for short-horizon forecasts. For engineers designing or assessing isolation-based security architectures like Qubes, the findings highlight that hypervisor and hardware trust anchors — not the Qubes codebase itself — remain the dominant source of disclosed risk.