Re: [Full-Disclosure] Hotmail & Passport (.NET Accounts)
From: Mark J Cox (mjc_at_redhat.com)
To: Nick FitzGerald <email@example.com> Date: Mon, 12 May 2003 10:44:40 +0100 (BST)
> I sure hope that
> folk won't be sucked into bogus "MS released fewer IE patches last
> year" claims based solely on the year-on-year comparison of the
> number of patch releases (as indicated by security bulletin count).
Most vendors and even open source software projects roll up security
fixes, usually when issues are classed as minor or if several severe
issues can be announced and fixed at the same time. To know how many
issues get rolled up you need to be able to count issues or
vulnerabilities and that can be quite subjective. However we can
normalise on CVE data to get useful statistics:
Looking at point releases of Apache 1.3 and Apache 2.0 that contained
security fixes. Each release fixed on average 1.63 vulnerabilities (44%
of releases fixed more than one issue, max 3 issues in one release).
Looking at Red Hat advisories since Jan 2000-Apr 2002, each advisory for
Red Hat Linux fixed on average 1.54 vulnerabilities (18% of advisories
fixed more than one issue, max 11 issues in one advisory).
-- Mark J Cox _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html