Contributed by jose on from the window-of-vulnerability dept.
On Friday, I saw a message on Bugtraq from the people at MITRE who run the CVE service stating that only 45% of vulnerabilities have been acknowledged by vendors . That's a pretty low number, but when you think about the number of acknowledgements you see vs. the number of vulnerabilities announced, that starts to seem realistic.
The "window of vulnerability" has been addressed by William Arbaugh in a pair of papers here and here , which definitely make for some good reading. Pair those up with an excellent 2002 Lisa paper from the guys at Wirex on about patching timelines . Also, an interesting paper from FIRST 1999 discusses patching methodlogies to keep on top of security as well as reliability.
Bringing it all back home, the usage graphs from OpenSSH show a clear response to vulnerabilities and new versions coming out, something which would be interesting to mine for in other services (BIND, SSL). As for OpenSSL vulnerabilities, Ben Laurie's lamentations on the subject are worth reading, too.
(Comments are closed)