Hi On 3/11/20 6:34 PM, Cindy Sue Causey wrote: > On 3/11/20, Paul Tagliamonte <paultag@ubuntu.com> wrote: >> Two main points if we do respond - >> >> 1) CVEs and other vuln databases are not a scoreboard. The most insecure >> code will have zero CVEs since no one's identified issues with it. > > > My brain's translating that to alternately say.... the more something > is used, the more exposed it is, and that's when you'll *happily* > FIND-N-FIX those vulnerabilities. > > Something that's not used or is not used very often? Who's around to > find anything wrong with it.....? > > >> 2) This includes all software available to apt. This means you have to >> include all Windows apps in the Microsoft app store when considering CVE >> totals. > > > *waving literally from the Peanut Gallery (Georgia)* > > Cindy :) > Regarding a response, I think it would be a good idea if it covers how vulnerabilities are reported, and then more towards Pauls earlier point of where the vulnerabilities are found and does it include all of the software officially or unofficially in the distribution/vendor package. Another point to consider would be how quickly the vulnerability is addressed and patched, Linux isn't just Tuesdays. That article is nested a bit, have some source[1] :) [1]https://thebestvpn.com/vulnerability-alerts/ Regards, -- -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Donald Norwood ⢿⡄⠘⠷⠚⠋⠀ B7A1 5F45 5B28 7F38 4174 ⠈⠳⣄⠀⠀⠀⠀ D5E9 E5EC 4AC9 BD62 7B05
Attachment:
signature.asc
Description: OpenPGP digital signature