Mark J Cox, mark@awe.com  
   
mark :: blog


As part of our security measurement work since March 2005 we've been tracking how the Red Hat Security Response Team first found out about each vulnerability we fix. This information is interesting as can show us which relationships matter the most, and identify trends in vulnerability disclosure. So for two years to March 2007 we get the following results (in percent):

20070410-relationships

I've separated the bars into two sections; the red sections are where we get notice of a security issue in advance of it being public (where we are told about the issue 'under embargo'). The grey sections are where we are reacting to issues that are already public.

The number of issues through researchers and co-ordination centers seem lower than perhaps expected, this is because in many cases the researcher will tell a group such as vendor-sec rather than each distributor separately, or the upstream project directly.

Created: 10 Apr 2007
Tagged as: , ,

0 comments (new comments disabled)

       


Hi! I'm Mark Cox. This blog gives my thoughts and opinions on my security work, open source, fedora, home automation, and other topics.


popular tags: [all], apache, apacheweek, cve, cvss, fedora, ha, metrics, microsoft, redhat, security, trips


Subscribe to RSS feed