[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] windows linux final study

To: security curmudgeon <jericho@xxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] windows linux final study
From: Florian Weimer <fw@xxxxxxxxxxxxx>
Date: Tue, 29 Mar 2005 16:53:07 +0200

* security curmudgeon:

>>From the report:
>
>   Additionally, when examining the days of risk  time between when a 
>   vulnerability is publicly disclosed to when a patch is released by the 
>   vendor for that vulnerability  we found an average of 31.3 days of risk 
>   per vulnerability for the Windows solution, 69.6 days of risk per 
>   vulnerability for the minimal Linux solution and 71.4 days of risk for 
>   the default Linux solution.
>
> This is from page 2 of the study. Can we agree that if you find a serious 
> flaw/error in the paper by page 2 (out of 37) that one might have reason 
> to be skeptical?
>
> Does anyone in the security industry *really* think Windows ever has a 
> 31.3 day of risk for vulnerabilities?

I would have expected that it's lower than that.  After all, it's
defined as the number of days between public disclosure and patch
release, and I assume it's rather unlikely that vulnerabilities are
discussed publicly before the patch release (except for
browser-related vulnerabilities).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- RE: [Full-disclosure] windows linux final study
  - From: ChrisDay
- RE: [Full-disclosure] windows linux final study
  - From: security curmudgeon

Prev by Date: RE: [Full-disclosure] windows linux final study
Next by Date: RE: [Full-disclosure] Reverse engineering the Windows TCP stack
Previous by thread: RE: [Full-disclosure] windows linux final study
Next by thread: Re: [Full-disclosure] windows linux final study
Index(es):
- Date
- Thread