mark :: blog
From time to time I publish metrics on vulnerabilities that affect
Red Hat Enterprise Linux. One of the more interesting metrics looks at
how far in advance we know about the vulnerabilities we fix, and from where
we get that information. This post is abstracted from the upcoming "4 years of Enterprise Linux 4"
For every fixed vulnerability across every package and every
severity in Enterprise Linux 4 AS in the first 4 years of its life, we
determined if the flaw was something we knew about a day or more in advance of
it being publicly disclosed, and how we found out about the flaw.
For vulnerabilities which are already public when we first hear about them
we still track the source as it's a useful internal indicator on where the
should focus their efforts.
So from this data, Red Hat knew about 51% of the security vulnerabilities that
we fixed at least a day in advance of them being publicly disclosed. For those
issues, the average notice was 21 calendar days, although the median
was much lower, with half the private issues having advance notice of 9
days or less.
Created: 03 Mar 2009
Tagged as: metrics, redhat, security
(new comments disabled)
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.