mark :: blog
Secunia released a security summary report for 2007 and surprisingly
gave a count for Red Hat for the year at over 600 vulnerabilities. I
had no idea how they got to this number, it certainly doesn't match
our own publicly available metrics at
Using our public tool, for every Red Hat product and service, for 2007
we issued 306 advisories to fix 404 vulnerabilities. Of those 404
vulnerabilities 41 were critical (on the scale used by Microsoft and
Most people are not going to be using every Red Hat product, so taking
just Enterprise Linux product you find 348 vulnerabilities, of which 27
were critical. A given user is going to only be vulnerable to the issues that affect
the products and packages they have installed. Using the scripts on
our pages you can figure it out for your own circumstances. But as an
example, the default installation of Red Hat Enterprise Linux 4 AS had
172 vulnerabilities of which 4 were critical.
The Secunia report does actually make it clear you can't use their
vulnerability count as a method of comparing platforms, in part due to the
differences in methodology of the vendors, but I'm sure this won't stop
some press from jumping to conclusions if they don't read the actual report.
I've asked Secunia how they got to their number of vulnerabilities, but in the
meantime, a raw count of vulnerabilities is only a small part of the
overall risk exposure in using a product. I've got some more reports that go
into this in more detail for two years of Enterprise Linux 4 and Enterprise Linux
5.0 to 5.1.
Update: Coverage of this: ZDNet
Update: Secunia told me that they treat each advisory separately; so for example
yesterday we issued updates for some moderate severity issues in
the Apache Web server, but we did separate advisories for each affected
product: Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, v2.
So in this case the same Apache vulnerability would be counted 6 times.
Created: 16 Jan 2008
Tagged as: metrics, red hat, security
(new comments disabled)
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.