mark :: blog

21 Mar 2006: Information sources

In March 2005 we started recording how we first found out about every security issue that we later fixed as part of our bugzilla metadata. The raw data is available. I thought it would be interesting to summarise the findings. Note that we only list the first place we found out about an issue, and for already-public issues this may be arbitrary depending whoever in the security team creates the ticket first.

So from March 2005-March 2006 we had 336 vulnerabilities with source metadata that were fixed in some Red Hat product:

111  (33%)  vendor-sec
 76  (23%)  relationship with upstream project (Apache, Mozilla etc)
 46  (14%)  public security/kernel mailing list
 38  (11%)  public daily list of new CVE candidates from Mitre
 24   (7%)  found by Red Hat internally
 18   (5%)  an individual (issuetracker, bugzilla, secalert mailing)
 15   (4%)  from another Linux vendors bugzilla (debian, gentoo etc)
  7   (2%)  from a security research firm
  1   (1%)  from a co-ordination centre like CERT/CC or NISCC
(Note that researchers may seem lower than expected, this is because in many cases the researcher will tell vendor-sec rather than each entity individually, or in some cases researchers like iDefense sometimes do not give us notice about issue prior to them making them public on some security mailing list)

Created: 21 Mar 2006
Tagged as: , ,

Hi! I'm Mark Cox. This blog gives my thoughts on security work, open source, home automation, and other topics.