Re: (linux-)distros list use statistics

[Kristian Fiskerstrand <k_f () gentoo org>]

On 11/13/2017 08:38 PM, Kristian Fiskerstrand wrote:
> > Thank you, Kristian!
> >
> > This lists two very long embargo periods for two Linux kernel issues: 96
> > days for CVE-2017-7533 and 28 days for CVE-2017-1000255.  While this is
> > useful info, it does not reflect (linux-)distros' lists performance as
> > it includes embargo periods from prior to disclosure to those lists.
> > Also, we can't reliably know of such prior embargo periods, so our data
> > would be inconsistent, which is especially bad for calculating averages.
> It is calculated from first report on distros list, that said, for
> CVE-2017-1000255 there was some missing data for first publication (it
> is public through
> https://access.redhat.com/security/cve/CVE-2017-1000255 and
> http://www.securityfocus.com/bid/101264 since 9th), so the publication
> time is 5.97 days (although not for oss-security posting).

Tracked down the -7533 issue as well, it was a fat-finger in the data.
The wiki page is updated with correct info. But the new table is:

Date    All
Number of reports       24
Average embargo time (first public)     5.84
Average embargo time (oss-security)     6.95

2017-06 2017-07 2017-08 2017-09 2017-10
1       3       6       9       5
10.84   4.69    6.39    5.83    4.90
14.16   5.03    6.39    5.84    9.31

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Attachment: signature.asc
Description: OpenPGP digital signature