Comments on: Bug fix scorecard

By: Security Spin Cycles - The Capslock Assassin

Security Spin Cycles - The Capslock Assassin — Wed, 17 Oct 2007 02:34:27 +0000

[...] Jeff Jones posted a blog entry to celebrate Red Hat fixing their 1000th unique security vulnerability. He also draws attention to a Red Hat post on their “Truth Happens” blog back in August, which itself quotes a post on Lxer.com. [...]

By: Mark Ryder

Mark Ryder — Wed, 17 Oct 2007 01:09:04 +0000

You guys are amazing, thinking that fixing more bugs is a good thing. What are you doing to reduce the number of security bugs in the first? Shipping junk, and fixing lots of bugs later is simply “cowboy coding” and nothing to be proud of.

By: totalnetsolutions.net » Microsoft VS. Red Hat - Why did they go there?

totalnetsolutions.net » Microsoft VS. Red Hat - Why did they go there? — Tue, 16 Oct 2007 19:45:09 +0000

[...] I saw this post from Jeff Jones over at Microsoft today. He mentions that Red Hat Enterprise Linux 4 recently patched their 1000th vulnerability, and provides a quote from Truth Happens(direct link to post), which is a Red Hat blog. I suggest you at least read Jeff’s post, since he quotes the relevant point of the Truth article. [...]

By: Wilsonz

Wilsonz — Tue, 18 Sep 2007 21:04:45 +0000

This post looks like FUD to me or at least its a great example statistics published in an incomplete manner. The same data published as a ratio of fixes by category to bugs found would tell the story more accurately. Maddog’s post addresses the other reason this comparison is likely invalid.

By: Maddog

Maddog — Tue, 28 Aug 2007 05:03:44 +0000

Vista not having much to fix? Or isn’t it more like they don’t announce everything they try to fix? Microsoft has a history of not disclosing bugfixes (see “Skeletons in Microsoft’s Patch Day closet”; http://blogs.zdnet.com/security/?p=316) and this controversial practice will definitely skew Jeff’s numbers. That renders Jeff’s “scorecard” practically useless.

By: Alan

Alan — Sat, 25 Aug 2007 03:04:24 +0000

Ummm. So since Red Hat had more vilnerabilities than Microsoft, they did a better job?? That’s the way to spin it.

Now if they had the same vulnerabilities discovered and one fixed more than the other, then that is a win. Otherwise Windows Vista is the clear winner here for not having much to fix.

By: Josh

Josh — Fri, 24 Aug 2007 21:59:06 +0000

So, uh, is Microsoft’s numbers so low because substantially fewer vulnerabilities were discovered, or was it because they are slow to fix things. From other posts on Jeff’s blog concerning days of vulnerability, MS also comes out in the lead, suggesting that they are fixing the bugs as they arise rather than avoiding fixes.

Also, isn’t it a bit misleading to suggest that Red Hat, with 1/40th the employees is actually fixing all of those vulnerabilities. I mean, shouldn’t some credit go to the FOSS community that also contributes to fixing vulnerabilities rather than giving redhat all of the credit.

By: Maddog

Maddog — Thu, 23 Aug 2007 08:30:44 +0000

Excellent reverse spin on Microsoft’s data! This just goes to show that Microsoft is spinning data to make its products look good. Jeff Jones should stop pretending he’s a security guy and proclaim himself as Microsoft’s marketing guru, their UberFUDMeister!