Re: OSS means slower patches

[bkfsec <bkfsec () sdf lonestar org>]

Roman Drahtmueller wrote:

> Security vulnerabilities are usually dealt with "best effort" commitment
> on behalf of the vendors. It's going to be your decision as to which
> model you trust more: Simply relying on your vendor's commercial
> commitment, or, in addition to that, benefit from an OSS developer's
> personal motivation to keep and improve his reputation. Keep in mind that 
> with closed source, you can't really tell what has been changed in a fix 
> and that the fix actually addresses the problem.
>
>  
Not to mention that something that actually is a function of the Free 
Software/Open Source Software ideologies is a degree of transparency.

If you're measuring "time to disclosure" versus "time to patch" you most 
definitely should expect a difference because people are more likely to 
just disclose vulnerabilities in FS/OSS applications whereas people 
finding flaws in proprietary software tend to keep those flaws to their 
chest for a longer period of time than others - both for legal reasons 
and due to vendor requirements.

In other words, the difference in the development methods inherently 
makes the method of statistical analysis used invalid.

GIGO - Garbage In, Garbage Out... that mantra doesn't just work for 
computers, it works for statistics as well.

            -Barry


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/