03 Mar 2009: Source of Vulnerabilities
From time to time I publish metrics on vulnerabilities that affect Red Hat Enterprise Linux. One of the more interesting metrics looks at how far in advance we know about the vulnerabilities we fix, and from where we get that information. This post is abstracted from the upcoming "4 years of Enterprise Linux 4" risk report
For every fixed vulnerability across every package and every severity in Enterprise Linux 4 AS in the first 4 years of its life, we determined if the flaw was something we knew about a day or more in advance of it being publicly disclosed, and how we found out about the flaw.
For vulnerabilities which are already public when we first hear about them we still track the source as it's a useful internal indicator on where the security response team should focus their efforts.
So from this data, Red Hat knew about 51% of the security vulnerabilities that we fixed at least a day in advance of them being publicly disclosed. For those issues, the average notice was 21 calendar days, although the median was much lower, with half the private issues having advance notice of 9 days or less.
Created: 03 Mar 2009
Tagged as: metrics, redhat, security
2 comments (new comments disabled)
Title: re: what fix publish time - notification time? Posted by: Mark Cox Time: Wed, 04 Mar 2009 09:59 If you want to find out how long it took to address those vulnerabilities you can use the metrics and perl script at www.redhat.com/security/data/metrics In most of the cases where we know about vulnerabilities in advance we have no direct control over the length of time before the vulnerability is public. For example we may be waiting for upstream to release their new version, or a co-ordinated release by some researcher or CERT.
One statistic that I'm missing is the distribution of number of days from the time that you get notification of a problem until an update to address the vulnerability is published. Or, do you consider the publishing of an updated package to be a form of public disclosure? In that case I'm a bit troubled by the fact that as many as 9% of all vulnerabilities are known by RH for more than 30 days before an update is available. Bad guys can know about vulnerabilities before public disclosure too, you know :)