The statistics was compiled from web application security assessment
projects which were made by the following companies in 2008 (in
alphabetic order):

* Blueinfy
* Cenzic with Hailstorm
* DNS with WebInspect
* Encription Limited
* HP Application Security Center with WebInspect
* Positive Technologies with MaxPatrol
* Veracode with Veracode Security Review
* WhiteHat Security with WhiteHat Sentinel

The statistics includes data about 12186 sites with 97554 detected
vulnerabilities.

http://projects.webappsec.org/Web-Application-Security-Statistics