Re: [Full-Disclosure] Hotmail & Passport (.NET Accounts)

From: Mark J Cox (mjc_at_redhat.com)
Date: 05/12/03

  • Next message: yossarian: "Re: [Full-Disclosure] PGP vs. certificate from Verisign" 
    To: Nick FitzGerald <nick@virus-l.demon.co.uk>
Date: Mon, 12 May 2003 10:44:40 +0100 (BST)

    > I sure hope that
    > folk won't be sucked into bogus "MS released fewer IE patches last
    > year" claims based solely on the year-on-year comparison of the
    > number of patch releases (as indicated by security bulletin count).

    Most vendors and even open source software projects roll up security
    fixes, usually when issues are classed as minor or if several severe
    issues can be announced and fixed at the same time. To know how many
    issues get rolled up you need to be able to count issues or
    vulnerabilities and that can be quite subjective. However we can
    normalise on CVE data to get useful statistics:

    Looking at point releases of Apache 1.3 and Apache 2.0 that contained
    security fixes. Each release fixed on average 1.63 vulnerabilities (44%
    of releases fixed more than one issue, max 3 issues in one release).

    Looking at Red Hat advisories since Jan 2000-Apr 2002, each advisory for
    Red Hat Linux fixed on average 1.54 vulnerabilities (18% of advisories
    fixed more than one issue, max 11 issues in one advisory).

    Cheers, Mark 

    -- 
Mark J Cox
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: yossarian: "Re: [Full-Disclosure] PGP vs. certificate from Verisign"

    Relevant Pages