Linked by Thom Holwerda on Fri 29th Jun 2007 13:12 UTC, submitted by shykid
On Full Disclosure, there's a negative analysis of Jeff Jones' six-month vulnerability report. "Conclusions that are drawn are built on a lack of understanding by the Microsoft researcher. I highly encourage him to go back and take another look, and pare down the results to essential information that is absolutely critical to the conclusions, rather than just 'Other OS's have more bugs, see, look at my graphs'."
Thread beginning with comment 251717
To view parent comment, click here.
To read all comments associated with this story, please click here.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Recent Original Stories
Recent Comments
Headlines
Random Comments
Random Stories
Random OS Link
Member since:
2005-07-06
It is valid to state that comparing disclosed/reported vulnerabilities is difficult between Open Source solutions and Microsoft’s products. The simple fact that Microsoft doesn’t report “silently” fixed vulnerabilities that result from auditing surrounding code and components, when an issue is reported publicly, really does make the vulnerability counting exercise a pointless one.
This is not completely true. It's true that Microsoft doesn't always disclose details about their fixes but they disclose how many of them and how important they are. You just need to count how many updates will be released and how many of them are rated critical (they don't like about this).
Even when they "silently" patch a bug, they need to release an update and rate it.
(of course it's true that a single fix could patch many bugs in different places but they can be considered "atomic" as they solve a single problem)