User: Password:
|
|
Subscribe / Log in / New account

Vulnerability window may not start with disclosure

Vulnerability window may not start with disclosure

Posted Nov 17, 2011 10:03 UTC (Thu) by epa (subscriber, #39769)
Parent article: Security response: how are we doing?

Rather than counting days since the public disclosure of the bug, wouldn't it be better to count days since the vulnerable version of the code was first shipped with the distribution?

That may be unduly pessimistic, but it is equally too optimistic to assume that a vulnerability does not exist until it is disclosed. So better to give both date ranges - the true period of vulnerability will lie somewhere between the two.


(Log in to post comments)

Vulnerability window may not start with disclosure

Posted Nov 17, 2011 16:57 UTC (Thu) by raven667 (subscriber, #5198) [Link]

I imagine that information is harder to compile as it would mean analyzing the revision information for each bug and those results aren't already compiled whereas the disclosure date is well published. Also, it would probably be very depressing. It might be useful to get an average or median number of how many vulnerabilities are likely to be present in any system of a sufficient complexity level.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds