I thought I had posted this link in the past, but it turns out I did not, so ...

IEEE S&P CoverLast summer (2007), one of my papers was published in IEEE Security & Privacy, which describes a method for estimating the number of disclosed but unfixed vulnerabilities in some version of software utilizing publicly available data. 

The citation reference is:

Jeffrey R. Jones, "Estimating Software Vulnerabilities," IEEE Security & Privacy, vol. 5, no. 4, 2007, pp. 28-32.

IEEE kindly made the paper available online and as a downloadable document here.