On Tue, Mar 30, 2004 at 03:52:49PM -0800, Matt Zimmerman wrote: > > A better question would be how they determined the applicability of the > vulnerabilities. This is a non-trivial job even for many individual > vulnerabilities, and they claim to have surveyed hundreds. Since they used a vulnerability database (ICAT) they probably (blindly) correlated vulnerabilities that applied to products versus published advisories which is bound to fail in many cases. Since the full reports costs $899 and I assume (since this is news to mdz) they have not disclosed this information to the Debian Security team [0], I wonder if we will ever know what they are really talking about and what (if any) flaws the report has. For example, I find it funny the use of an "average" (instead of other alternative statistics metrics that more accurately reflect data) As it has been said already: lies, damn lies and statistics.... The fact that numbers (on average) don't match what I have published before (in 2001 [1] and last year at Debconf3 [2]) leads me to believe the data is not really accurate (although in my analisys I included all vulnerabilities and did not relate to severity). I would still be interested in reading the full report... Regards Javier [0] I wonder what's under the "Companies And Organizations Interviewed For This Document" in their report. [1] http://lists.debian.org/debian-security/2001/debian-security-200112/msg00257.html [2] http://people.debian.org/~jfs/debconf/security/
Attachment:
signature.asc
Description: Digital signature