25 Feb 2005: Real data
Yesterday I promised that we'd publish some of the mappings that we internally use in the Security Response Team. Three of these are available now.The first is a mapping of severity for every security advisory for Red Hat Enterprise Linux and Stronghold from release date through to Feb 15th 2005 (after Feb 15th 2005 this information is included on advisories as published).
These severities assigned to each RHSA are based on a unique assement of how each individual flaw affects the particular distribution, then rolling up the severities and picking the worst to give the overall severity rating. A second mapping therefore gives the severity rating we assigned to each individual vulnerability, by CVE name. Included in this mapping is also the date that each issue was first known publically.
The final mapping is RHSA to release date. In the majority of cases the "Issue Date" displayed on the advisory or by Red Hat Network is correct, however this file also contains fixes where the issue date was published incorrectly, was missing, or delayed. This file contains every RHSA from 2000 to date, and will get get updated from time to time.
We'll update the mappings from time to time (we keep up to date copies internally, so if you have specific questions or we've forgotten to update them in a while just drop secalert@redhat.com an email). We also have other mappings which are automatically generated from our errata system which we'll publish soon.
Created: 25 Feb 2005
Tagged as: metrics, red hat, security
