| |
mark :: blog
For the past 12 months I've been keeping metrics on the types of issues that get
reported to the private Apache Software Foundation security alert
email address. Here's the summary for Jul 2006-Jun 2007 based
on 154 reports:
User reports a security vulnerability
(this includes things
later found not to be vulnerabilities)
| 47 (30%) |
|
User is confused because they visited a site "powered by Apache"
(happens a lot when some phishing or spam points to a site that is
taken down and replaced with the default Apache httpd page) | 39 (25%) |
|
User asks a general product support question
| 38 (25%) |
|
User asks a question about old security vulnerabilities
| 21 (14%) |
|
User reports being compromised, although non-ASF software was at fault
(For example through PHP, CGI, other web applications) | 9 (6%) |
|
That last one is worth restating: in the last 12 months no one who
contacted the ASF security team reported a compromise that was
found to be caused by ASF software.
Created: 16 Jul 2007
Tagged as: apache, metrics, security
0 comments
(new comments disabled)
|
|
|
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.
pics from my twitter:
popular tags:
[all],
apache,
apachecon,
apacheweek,
cve,
cvss,
fedora,
financial,
geocaching,
ha,
metrics,
microsoft,
nashville,
north carolina,
red hat summit,
redhat,
security,
trips
|
|
