Re: [Full-Disclosure] Any study on patch availability?

Fri, 07 Jan 2005 07:47:09 -0800 

http://secunia.com/advisory_statistics/

ever heard of google?


On Sun, 26 Dec 2004 12:26:17 -0500 (EST),
[EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
> 
> Hi all,
> 
> Holiday season greetings.
> 
> I am a PhD student at Princeton studying security. I am interested in
> studying vulnerability statistics. I am interested in answering questions
> like:
> 
> 1. Which are the programs where bugs are found often?
> 
> 2. Which vendors tend to be frequently affected?
> 
> 3. What are the common vulnerabilities (buffer overflows I guess)?
> 
> 4. How often are patches available before a vulnerability is publicly
> disclosed?
> 
> 5. How much time does it take for a typical vendor to patch the bug?
> How
> diligent are various vendors regarding releasing patches?
> 
> 6. What are the OS specific statistics?
> 
> 7. How diligent are users/administrators regarding patching? In some cases
> there might be genuine reasons why you cannot patch (loss of availability
> etc.). I am aware of "Security holes... Who cares?" by Eric Rescorla.
> 
> 8. Have there been situations when a patch has not been available for a
> long time, say more than a month.
> 
> .
> .
> .
> .
> .
> 
> I am primarily interested in seeing how fast the patches are out. I am
> more interested in knowing about those situations when a patch is not
> available fast. What did people do to avoid getting hit? I would
> appreciate some concrete examples. So I am mostly interested in questions
> 4, 5, and 8.
> 
> Has someone already studied these patterns? Can the community refer me to
> some useful links? I would appreciate concrete examples and a quantitative
> analysis. I have talked to a few system administrators. But I am confused
> whether patch availability is indeed a problem. Unfortunately, the answer
> is specific to what software you are running and the answer tends to be
> subjective.
> 
> Thanks in advance,
> Regards,
> Sudhakar.
> 
> Sudhakar Govindavajhala                   Department of Computer Science
> Graduate Student,                         Princeton University
> Ph : (lab) +1 609 258 1763                   (office) +1 609 258 1798
>                http://www.cs.princeton.edu/~sudhakar
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Reply via email to