Bugtraq mailing list archives
Re: On product vulnerability history and vulnerability complexity
From: "Steven M. Christey" <coley () linus mitre org>
Date: Mon, 3 Apr 2006 16:50:45 -0400 (EDT)
On Mon, 3 Apr 2006, Gadi Evron wrote:
Looking at Microsoft's software of today, it is extremely well-written and professional. Far beyond that of most others. Finding vulnerabilities in them is extremely difficult. Most vulnerabilities you will find will be logical in nature and not easy.
A researcher mentioned to me offline that it takes a lot more time to find vulnerabilities in such software. This could be another quantitative indicator, although it would be highly variable depending on each individual researcher's methods and tools.
That is key, as today's data is very lacking to base much on. But we use what we have, right?
Until we start to collect what we should. Disclosure timelines weren't that common a few years ago, and now there's a virtual goldmine of data waiting for some enterprising person to examine notification-to-patch timelines as well as overall vendor responsiveness. - Steve
Current thread:
- Re: On product vulnerability history and vulnerability complexity Crispin Cowan (Apr 03)
- Re: On product vulnerability history and vulnerability complexity Gadi Evron (Apr 03)
- Re: On product vulnerability history and vulnerability complexity Steven M. Christey (Apr 03)
- Re: On product vulnerability history and vulnerability complexity Javor Ninov (Apr 04)
- Re: On product vulnerability history and vulnerability complexity Steven M. Christey (Apr 04)
- Re: On product vulnerability history and vulnerability complexity ArkanoiD (Apr 03)
- Re: On product vulnerability history and vulnerability complexity Forrest J. Cavalier III (Apr 03)
- Re: On product vulnerability history and vulnerability complexity Gadi Evron (Apr 04)
- Re: On product vulnerability history and vulnerability complexity Gadi Evron (Apr 03)