mark :: blog
Today a "Role Comparison Report" from Security Innovation was
published which has a headline that we fix security issues less than
half as fast as Microsoft.
Red Hat was not given an opportunity to examine the "Role
Comparison Report" or it's data in advance of publication and we
believe there to be inaccuracies in the published "days of risk"
metrics. These metrics are significantly different from our own
findings based on data sets made publically available by our Security
Despite the report's claim to incorporate a qualitative assessment
of vendor reactions to serious vulnerabilities, the headline metrics
treats all vulnerabilities as equal, regardless of their risk to
users. The Red Hat Security Response Team publish complete data sets
allowing calculations to be made taking into account the severity of
each flaw. Red Hat prioritise all vulnerabilities and fix first those
that matter the most.
For example out of the dataset examined by the report there were
only 8 flaws in Red Hat Enterprise Linux 3 that would be classed as
"critical" by either the Microsoft or Red Hat severity scales. Of
those, three quarters were fixed within a day, and the average was 8
days. A critical vulnerability is one that could be exploited to
allow remote compromise of a machine without interaction, for example
by a worm.
With the current threat landscape it is no longer sufficient for
operating system vendors to just respond to security issues. As part
of our overall security strategy Red Hat is continually innovating to
create new technologies that proactively help reduce the risk of
unpatched or as yet undiscovered vulnerabilities.
and perl script to let you run your own metrics from the Security
Created: 22 Mar 2005
Tagged as: metrics, microsoft, red hat, security
(new comments disabled)
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.
pics from my twitter:
red hat summit,