Linked by Thom Holwerda on Fri 16th Mar 2007 17:02 UTC, submitted by Shawna McAlearney
Privacy, Security, Encryption "Starting today, I plan on posting a monthly vulnerability scorecard for common server and workstation Operating System products. I'm going to keep these scorecards pretty clean of discussion, but you can review my methodology, sources and assumptions." Note that these results speak only of fixed vulnerabilities; the author aims to include information on non-fixed problems and the time it takes to fix problems as well. You should also read this, by the way.
Thread beginning with comment 222007
To read all comments associated with this story, please click here.
Why not use SecurityFocus or CVE
by Robert Escue on Fri 16th Mar 2007 19:17 UTC
Robert Escue
Member since:
2005-07-08

If I was going to score vulnerabilites, I would use SecurityFocus and CVE (cve.mitre.org) to get vulnerability information. As a system administrator I am more interested in what is not patched or fixed, as opposed to what is. Also by searching in such broad terms gives a skewed result.

For example, using SunSolve's information shows that the results are not limited to the Solaris operating system. For January 2007 there are 19 vulnerabilities listed, as opposed to the 20+ listed in the graph. At least two of them do not affect Solaris 10 at all! The kcms_configure vulnerability does not affect Solaris 10 because it is not part of Solaris anymore, and the Sun Ray Server Admin GUI only affects installations where Sun Ray Server is used.

I would not use this to measure whether an OS is vulnerable or not. There are far better resources for people who are concerned about security, this is nothing more than Jeff trying to make a name for himself online.

Reply Score: 5