RHEL, kernel vulnerabilities, and days of risk
Posted Mar 28, 2005 17:35 UTC (Mon) by giraffedata
In reply to: RHEL, kernel vulnerabilities, and days of risk
Parent article: RHEL, kernel vulnerabilities, and days of risk
Those are all good points about security, but don't address the topic of this thread: whether the days of risk measurement in this study is a valid measurement for comparing security risk among programs.
The article suggests that some bugs have an unfairly low days of risk measurement. The bugs you describe that are not a closely held secret, but just not widely exploited, would have a high days of risk measurement. So they're not the ones we're talking about.
Also, I don't think whether Microsoft acknowledges a bug is part of the measurement. But one could imagine that the study biased the measurement by looking only to the easy sources -- Microsoft announcements -- to find out when bugs became known. That would make the issue moot.
to post comments)