* security curmudgeon: >>From the report: > > Additionally, when examining the days of risk time between when a > vulnerability is publicly disclosed to when a patch is released by the > vendor for that vulnerability we found an average of 31.3 days of risk > per vulnerability for the Windows solution, 69.6 days of risk per > vulnerability for the minimal Linux solution and 71.4 days of risk for > the default Linux solution. > > This is from page 2 of the study. Can we agree that if you find a serious > flaw/error in the paper by page 2 (out of 37) that one might have reason > to be skeptical? > > Does anyone in the security industry *really* think Windows ever has a > 31.3 day of risk for vulnerabilities?
I would have expected that it's lower than that. After all, it's defined as the number of days between public disclosure and patch release, and I assume it's rather unlikely that vulnerabilities are discussed publicly before the patch release (except for browser-related vulnerabilities). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
