A story of three kernel vulnerabilities

Not only is their analysis biased, but, if the zdnet summary of their report is to be believed, they've shown themselves to be incompetent:

"Zero-day flaws — software vulnerabilities for which no patch is available — in the Linux kernel that were patched last year took an average of 857 days to be closed, Trustwave found. In comparison zero-day flaws in current Windows OSes patched last year were fixed in 375 days."

The obvious implication is that this is a claim that the average of time to close for all zero-day defects in the Linux kernel is 3 years (versus 375 days for Windows). Obviously, an average cannot be calculated from 2 instances, which are very likely worst-case, out of many critical defects. Such miscalculation, of course, implies incompetence (or the zdnet summary is inaccurate). The criticism that these 2 cases took too long to fix is, perhaps, warranted, but nobody paying attention will conclude from their report that the implication of the headline ("Linux trailed Windows in patching zero-days in 2012...") is anything other than bullshit.

Interestingly, at the end of the zdnet article is:

"The Trustwave report says the number of critical vulnerabilities, as determined by the Common Vulnerability Scoring System (CVSS) assessment of factors like potential impact and exploitability, identified in the Linux kernel was lower than in Windows last year, with nine in Linux compared to 34 in Windows. The overall seriousness of vulnerabilities was also lower in Linux than Windows, with Linux having an average CVSS score of 7.68 for its vulnerabilities, compared to 8.41 for Microsoft."

This might be viewed as evidence that Trustwave is not biased, but, unfortunately for them in light of their main (apparent) claim, not as evidence that they are not incompetent.