LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Re: Vendor-sec hosting and future of closed lists

[Posted March 9, 2011 by jake]

From:  Mark J Cox <mjc-H+wXaHxf7aLQT0dZR+AlfA-AT-public.gmane.org>
To:  OSS Security List <oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8-AT-public.gmane.org>
Subject:  Re: Vendor-sec hosting and future of closed lists
Date:  Thu, 3 Mar 2011 18:31:08 +0000 (GMT)
Message-ID:  <1103031820280.22221@mjc.redhat.com>
Archive-link:  Article, Thread 

> Also the usefulness of v-s in general has a bit diminished, especially with
> oss-sec present and more active and more involved upstream projects doing
> their own management. Mark J Cox has some stats for Redhat updates showing this.

We monitor how we first found out about every issue we eventually fix, and 
if we found out before or after the issue was public.

For vendor-sec, during last calendar years

date		# issues in advance		# issues already public
2008		69				32
2009		57				17
2010		29				22

That 29 represents just 4% of the total number of our vulnerabilities 
fixed in 2010.  The median time of embargo for those 29 issues was 15 days 
(average 24)

But I think that trend is what was expected, as upstream projects 
communicate with affected vendors directly, and we use oss-security for 
issues that don't need embargo or co-ordination.

Thanks, Mark
--
Mark J Cox / Red Hat Security Response
(Log in to post comments)

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds