mailing list archives
Re: On product vulnerability history and vulnerability complexity
From: "Steven M. Christey" <coley () linus mitre org>
Date: Mon, 3 Apr 2006 16:50:45 -0400 (EDT)
On Mon, 3 Apr 2006, Gadi Evron wrote:
Looking at Microsoft's software of today, it is extremely well-written
and professional. Far beyond that of most others. Finding
vulnerabilities in them is extremely difficult. Most vulnerabilities you
will find will be logical in nature and not easy.
A researcher mentioned to me offline that it takes a lot more time to find
vulnerabilities in such software. This could be another quantitative
indicator, although it would be highly variable depending on each
individual researcher's methods and tools.
That is key, as today's data is very lacking to base much on. But we use
what we have, right?
Until we start to collect what we should. Disclosure timelines weren't
that common a few years ago, and now there's a virtual goldmine of data
waiting for some enterprising person to examine notification-to-patch
timelines as well as overall vendor responsiveness.