But "days of risk" only tells you a portion of the story: it doesn't tell you how long a vendor knew about an issue before it was known to the public, or how long it was being exploited before being reported.
Indeed. More than often, Microsoft replies to bug-reports with: "no, that's not a problem". 3 Months later they come out with a patch saying: "we found this 3 weeks ago during our own tests". What also sometimes happens is that Microsoft brings out a patch for a problem, that doesn't really solve anything. When people complain, the response usually is: "no, this is a new problem", causing the counter to start all over again.
This *is* a problem, as most people higher up in organisations tend not to look to deep into how things were compared and simply draw their conclusions. "If it's written down, it must be true..." On the other hand, I tend to agree with Jonathan: we are doing very well, but could still do better...
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds