Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 13 Nov 2017 20:52:47 +0100
From: Kristian Fiskerstrand <>
To:, Solar Designer <>
Subject: Re: (linux-)distros list use statistics

On 11/13/2017 08:38 PM, Kristian Fiskerstrand wrote:
>> Thank you, Kristian!
>> This lists two very long embargo periods for two Linux kernel issues: 96
>> days for CVE-2017-7533 and 28 days for CVE-2017-1000255.  While this is
>> useful info, it does not reflect (linux-)distros' lists performance as
>> it includes embargo periods from prior to disclosure to those lists.
>> Also, we can't reliably know of such prior embargo periods, so our data
>> would be inconsistent, which is especially bad for calculating averages.
> It is calculated from first report on distros list, that said, for
> CVE-2017-1000255 there was some missing data for first publication (it
> is public through
> and
> since 9th), so the publication
> time is 5.97 days (although not for oss-security posting).

Tracked down the -7533 issue as well, it was a fat-finger in the data.
The wiki page is updated with correct info. But the new table is:

Date	All
Number of reports	24
Average embargo time (first public)	5.84
Average embargo time (oss-security)	6.95

2017-06	2017-07	2017-08	2017-09	2017-10
1	3	6	9	5
10.84	4.69	6.39	5.83	4.90
14.16	5.03	6.39	5.84	9.31

Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Download attachment "distros-stats.png" of type "image/png" (30426 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ