Another question is how many of the reported bugs wound up being false positives. Through casual conversations with some vendor (I forget whom), it became clear that the massive number of reported issues was very time-consuming to deal with, and not always productive. Of course this is no surprise to people on this list, but important to note.
Regarding vendor responses - through my work in CVE, I've noticed that eventually, a developer who's been "tagged" often enough will eventually develop more systematic responses such as secure APIs, coding standards, or at least a thorough review. This is briefly touched on in the Unforgivable Vulnerabilities paper that I gave at Black Hat USA last year, where I discuss vulnerability complexity as a qualitative indicator of software security. - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________