"Starting today, I plan on posting a monthly vulnerability scorecard for common server and workstation Operating System products. I'm going to keep these scorecards pretty clean of discussion, but you can review my methodology, sources and assumptions." Note that these results speak only of fixed vulnerabilities; the author aims to include information on non-fixed problems and the time it takes to fix problems as well. You should also read this, by the way.
To read all comments associated with this story, please click here.
Member since:2005-09-21
Indeed, the Vista score is a bit misleading to say the least. Vista wasn't released to the general public at all during the period he is examining. And no competent business will have deployed Vista anywhere but in testing in that period either. So it is quite natural that it has had no fixes.
However, it is not biased to not include pre-SP2 XP. SP2 has been out for years, and everyone at all concerned with security should be running it by now. Just like he didn't include old version of Linux in his comparison.
Then again, these numbers don't mean much if you keep your systems up to date. I will be very interested to see his data on non-fixed problems and time to fix. Much more relevant to determining security than fixed issues.
Another addition that would help the credibility of this piece is a detailed view where the vulnerabilities are listed, broken down by component.
Edited 2007-03-16 18:23
Member since:2005-12-15
Member since:
2005-06-29
Yeah! Look! Vista has a perfect score! Guess it's time to wipe off that FreeBSD partition and also sell those Xserves... Heh.
And it's absolutely hilarious how he didn't include pre-SP2 XP. Talk about... bias.
Edited 2007-03-16 18:07