INV-006
A Longitudinal Analysis of Qubes OS Security
Mature, but not quiet: fourteen years of public evidence on where isolation concentrates risk
A Pwnshow Investigation · 2023– · Status: active · Programs: Investigations

1. The question
Earlier entries in this series established two claims by argument: that trust architectures fail at their weakest assumed-trustworthy component (INV-002), and that the hardware substrate can silently betray the assumptions software builds on it (INV-000). This investigation asks whether those claims can be measured. Qubes OS is the ideal instrument: an operating system built around security-by-compartmentalization, whose architecture makes component boundaries security-relevant and whose fourteen-year public record of signed advisories makes the question empirically answerable. If compartmentalization works as intended, the public security burden should land not in the logic Qubes owns but in the anchors it is forced to trust — the hypervisor and the processor. The investigation tests that prediction against 109 Qubes Security Bulletins (2011–2025), the project’s own Xen-advisory tracker, and the discipline of a measurement protocol designed to resist convenient narratives, including this agency’s own.
2. Method note
Movements engaged. Three of the four movements so far; the fourth is beginning. The conceived adversarial process: treat the maturity story a project tells about itself as a hypothesis to be attacked — pre-commit the architectural breakpoint rather than mining it from the data, audit the attribution rules against their own failure modes, and force every predictive claim to beat a naive baseline before it is allowed to stand. The process was matched to the researched subject (an isolation architecture whose documentation makes its trust anchors explicit) and executed to the standard of evidence: a fully reproducible primary dataset released as a citable archival artifact, and a public preprint. Peer-review validation is pending — the manuscript is under revision for archival resubmission — and the record here claims exactly that much and no more. Translation across registers begins with circulation to the operating-system community itself (see §7).
Instruments. Complete reconstruction of the public QSB ledger (109 bulletins, 2011–2025) and the official Qubes-maintained XSA tracker; a deterministic, audited component-attribution codebook reported under four views (primary, incidence, weighted, identifier-weighted) with a stratified 30-bulletin manual validation; formal change-point analysis by four independent methods; Poisson inference with overdispersion diagnostics and negative-binomial sensitivity; transparent severity proxies (identifier multiplicity, a transient-execution tag); documentary latency lower bounds; vulnerability-discovery-model fits evaluated by rolling one-step forecasts against naive baselines with Diebold–Mariano tests.
Exclusions. Deliberate, and stated as evidence-grade boundaries: the object of measurement is the public advisory record, not the latent vulnerability incidence or operational security posture of Qubes OS — advisory counts are shaped by disclosure policy, reporting practice, and research attention as well as by software quality, and the findings are claims about that record. Further: no bulletin-level CVSS enrichment (the public record will not support it honestly — no pseudo-scores were forced); no historical patch-latency distribution (repository timestamps are heterogeneous across release eras — a documentary lower bound was retained instead of a fabricated panel); the secondary vulnerability-event series is used for sensitivity only, because its event-level provenance is incomplete in the public bundle; no software-exhaustion claims, which the fitted intervals do not license.
3. Findings
- The public security burden lands where the architecture says it must: under primary attribution, 87 of 109 QSBs (79.8%, 95% CI 71.3–86.3) are attributable to Xen, CPU/microarchitectural, or other upstream components rather than Qubes-core logic — a conclusion stable across all four attribution views (80.9% weighted; 82.5% identifier-weighted) and supported by the project’s own tracker (113 of 464 XSAs affect Qubes) (artefacts 1, 2).
- The record has one dominant regime shift — 2015Q1, recovered independently by Bayesian, BIC, deviance-search, and binary-segmentation analyses — and the post-2018 disclosure rate is statistically flat: a stable plateau in the public record, not continuing growth and not imminent exhaustion. Overdispersion checks show this is not a Poisson artifact (artefacts 1, 2).
- The plateau is not homogeneous: its composition shifted toward hardware. All 23 transient-execution/microcode advisories occur from 2018 onward and account for 31.5% of post-2018 bulletins — external research waves in the execution substrate, exogenous to Qubes’ own implementation discipline (artefacts 1, 2).
- A negative result, reported as such: S-shaped vulnerability-discovery models fit the cumulative record best descriptively, but confer no statistically significant short-horizon forecasting advantage over a rolling three-year mean. Descriptive curves do not earn maturity or exhaustion claims (artefacts 1, 2).
- The finding generalizes: systems that pursue strong isolation by compressing trust into few anchors reduce the security-critical logic they own while becoming unusually exposed to the engineering and disclosure dynamics of their hypervisor, processor, and adjacent low-level ecosystem. Qubes is the clean case because its record makes the dependency observable (artefact 1).
4. Consequence
Consequences pending; the investigation is active.
5. Artefact record
| # | Artefact | Type | Venue / identifier | Date | Access |
|---|---|---|---|---|---|
| 1 | Qubes OS Security in the Public Record | preprint | arXiv: [identifier to be assigned at deposit] | 2026 | [arxiv.org link upon deposit — canonical copy. The manuscript is under revision for archival resubmission following peer review; publication status is stated here truthfully as it changes.] |
| 2 | Replication bundle: complete 109-QSB primary ledger, annual/quarterly count tables, XSA-tracker snapshot, derived analysis tables, attribution codebook, stratified manual-validation subset, secondary series (annual aggregates) | dataset | Zenodo DOI: [to mint at release] | 2026 | [Zenodo DOI — citable archival snapshot, released with the preprint so the artifact is available to any reviewer or reader from day one.] |
6. Continuity
Inherits: from INV-002, the claim that architectures fail at their weakest assumed-trustworthy component — here quantified across fourteen years; and from INV-000, hardware-induced undependability as a category — the transient-execution wave now dominating the record’s composition belongs to that category, a continuity of kind, not of mechanism. Feeds: this investigation’s longitudinal empirics and INV-007’s governance agenda converge on a candidate successor — measuring model-assisted vulnerability discovery rather than reasoning about it: the mitigation gap, quantified.
7. What’s next
Deposit: the preprint to arXiv and the replication bundle to Zenodo (July 2026) — the record above updates with identifiers on the day they exist. Circulation to the community the work measures, subject to their calls for participation opening and accepting the proposals; engagement from the Qubes project itself — on the attribution codebook and the tracker’s relevance policy — is sought as a strengthening input to revision, not only as dissemination. Archival resubmission: a revised manuscript, re-scoped per review and with the artifact public, to a venue selected for fit with measurement work. The convergence agenda with INV-007 (see §6) awaits a decision on the successor investigation.
8. Provenance
Provenance. A Longitudinal Analysis of Qubes OS Security and the related materials above were produced without external funding. Their subject — the public advisory record of an open-source operating system — is unrelated to the vulnerability-acquisition market in which Zeronomi, founded and directed by the author, operates; the analysis is descriptive measurement of public sources and would have no foreseeable differential effect on Zeronomi’s commercial interests. It relies on the public advisory corpus cited, not on non-public commercial information.
Added 2026/07/11 under Policy v1.0.
Page last updated: 2026/07/11 · Part of the Pwnshow investigation series
← Investigations index