But I think it's biased, 'cause it shows Debian stable has more vulnerabilities than testing:
https://repology.org/repository/debian_11
https://repology.org/repository/debian_12
Possible reason for this kind of bias, from Debian FAQ:
Anyone got any site that compares vulnerabilities between different distros and show them in graphs? Thanks in advance.Many vulnerability assessment scanners give false positives when used on Debian systems, since they only use version checks to determine if a given software package is vulnerable, but do not really test the security vulnerability itself. Since Debian does not change software versions when fixing a package (many times the fix made for newer releases is back ported), some tools tend to think that an updated Debian system is vulnerable when it is not.
If you think your system is up to date with security patches, you might want to use the cross references to security vulnerability databases published with the DSAs (see Section 7.2, “Debian Security Advisories”) to weed out false positives, if the tool you are using includes CVE references.