In 2013, the number of software flaws of critical severity — as measured by their ranking on the Common Vulnerability Scoring System — dropped by about 9 percent. Critical flaws are increasingly being sold to penetration testing firms and government agencies. Experts are increasingly critical of the CVSS’s ability to measure the severity of a vulnerability. Other players in the market could account for the decrease in both critical vulnerabilities and vulnerabilities sold to white-market bounty programs, such as ZDI. Researchers are increasingly paid for their vulnerability research, as well as more opportunities to get paid.”]