http://www.osvdb.org/blog/?p=79
US-CERT: A disgrace to vulnerability statistics Posted in Vulnerability Statistics on January 2nd, 2006 by jericho Several people have asked OSVDB about their thoughts on the recent US-CERT Cyber Security Bulletin 2005 Summary. Producing vulnerability statistics is trivial to do. All it takes is your favorite data set, a few queries, and off you go. Producing meaningful and useful vulnerability statistics is a real chore. Ive long been interested in vulnerability statistics, especially related to how they are used and the damage they cause. Creating and maintaining a useful statitistcs project has been on the OSVDB to-do list for some time, and I personally have not followed up with some folks that had the same interest (Ejovi et al). Until I see such statistics done right, I will of course continue to voice my opinion at other efforts. [..] Ok, on to the fun part.. the statistics! Unfortunately, the bulletin is very lacking on wording, explanation, details or additional disclaimers. We get two very brief paragraphs, and the list of vulnerabilities that link to their summary entries. Very unfortunate. No, let me do one better. US-CERT, you are a disgrace to vulnerability databases. I cant fathom why you even bothered to create this list, and why anyone in their right mind would actually use, reference or quote this trash. The only statistics provided by this bulletin: [..] A decade later, and the security community still lacks any meaningful statistics for vulnerabilities. Why cant these outfits with commercial or federal funding actually do a good job and produce solid data that helps instead of confuses and misleads?! You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
