Red Hat security team lead Mark J. Cox writes
about the "Six Years of Red Hat Enterprise Linux 4" report [PDF]
on his blog. It looks at the vulnerabilities that were found and fixed in RHEL 4, along with their severity. "The data we publish is interesting to get a feel for the risk of running Enterprise Linux, but isn't really useful for comparisons with other distributions, or operating systems. One important difference is that it is Red Hat policy to count vulnerabilities and allocate CVE names to all issues that we fix, including ones that are found internally. This is not true for many other vendors including folks like Microsoft and Adobe who do not count or disclose issues they fix which were found internally.
to post comments)