Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: windows linux final study

From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 29 Mar 2005 16:53:07 +0200
* security curmudgeon:


From the report:


  Additionally, when examining the days of risk  time between when a 
  vulnerability is publicly disclosed to when a patch is released by the 
  vendor for that vulnerability  we found an average of 31.3 days of risk 
  per vulnerability for the Windows solution, 69.6 days of risk per 
  vulnerability for the minimal Linux solution and 71.4 days of risk for 
  the default Linux solution.

This is from page 2 of the study. Can we agree that if you find a serious 
flaw/error in the paper by page 2 (out of 37) that one might have reason 
to be skeptical?

Does anyone in the security industry *really* think Windows ever has a 
31.3 day of risk for vulnerabilities?


I would have expected that it's lower than that.  After all, it's
defined as the number of days between public disclosure and patch
release, and I assume it's rather unlikely that vulnerabilities are
discussed publicly before the patch release (except for
browser-related vulnerabilities).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: