[report] A look at the time Debian takes to fix a security vulnerability
As I said yesterday I wanted to prepare an answer to the question "How much
time does it take for Debian to fix a given bug?". I have made some analysis regarding
vulnerabilities detected and posted in bugtraq and those sent as DSAs. It has taken
some more time than expected since the DSAs do not link directly to either Bugtraq's
database or CVE's (Security Team: please see below). But the answer is:
"For the last year it has taken Debian an average of 35 days to fix security-related
vulnerabilites. However, over 50% of the vulnerabilities where fixed in a 10-days time
frame, and over 15% of them where fixed the same day the advisory was released!"
So I would like to publicly (sp?) give a warm applause to the Debian Security Team
which is doing an excelent job!
I adjoint some data:
- a Gnumeric spreadsheet with all the information
- a PNG graphic with this year's distribution of time-to-fix (in days) made by
gnuplot with the previous data
A note for the Security Team: please add a new tag to the DSA's data: <define-tag bid>
and <define-tag cve> that would make it easier to
a) make this kind of analysis stuff
b) track down information regarding vulnerabilities
Many tools (like Nessus for example) link to Bugtraq so it's easier for users to have a
common reference. For example: Nessus says I have vuln XXX but I have installed the
patch advised in DSA which fixes it so I'm ok.
I will try to take some time to do the same for other OS and pull out a comparative
(which might or might not make the results seem even best), problem is, however, that
this issues are difficult to automate (will try though)
PS: Of course I have not investigated which reported vulnerabilities are still open
(are there any?), i.e. no DSA has been sent yet.