Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Any study on patch availability?
From: sudhakar+fulldisclosure () CS Princeton EDU
Date: Sun, 26 Dec 2004 12:26:17 -0500 (EST)

Hi all,

Holiday season greetings.

I am a PhD student at Princeton studying security. I am interested in
studying vulnerability statistics. I am interested in answering questions

1. Which are the programs where bugs are found often?

2. Which vendors tend to be frequently affected?

3. What are the common vulnerabilities (buffer overflows I guess)?

4. How often are patches available before a vulnerability is publicly

5. How much time does it take for a typical vendor to patch the bug?
diligent are various vendors regarding releasing patches?

6. What are the OS specific statistics?

7. How diligent are users/administrators regarding patching? In some cases
there might be genuine reasons why you cannot patch (loss of availability
etc.). I am aware of "Security holes... Who cares?" by Eric Rescorla.

8. Have there been situations when a patch has not been available for a
long time, say more than a month.


I am primarily interested in seeing how fast the patches are out. I am
more interested in knowing about those situations when a patch is not
available fast. What did people do to avoid getting hit? I would
appreciate some concrete examples. So I am mostly interested in questions
4, 5, and 8.

Has someone already studied these patterns? Can the community refer me to
some useful links? I would appreciate concrete examples and a quantitative
analysis. I have talked to a few system administrators. But I am confused
whether patch availability is indeed a problem. Unfortunately, the answer
is specific to what software you are running and the answer tends to be

Thanks in advance,

Sudhakar Govindavajhala                   Department of Computer Science
Graduate Student,                         Princeton University
Ph : (lab) +1 609 258 1763                   (office) +1 609 258 1798
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • Any study on patch availability? sudhakar+fulldisclosure (Dec 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]