Date: Mon, 13 Nov 2017 20:52:47 +0100 From: Kristian Fiskerstrand <k_f@...too.org> To: oss-security@...ts.openwall.com, Solar Designer <solar@...nwall.com> Subject: Re: (linux-)distros list use statistics On 11/13/2017 08:38 PM, Kristian Fiskerstrand wrote: >> Thank you, Kristian! >> >> This lists two very long embargo periods for two Linux kernel issues: 96 >> days for CVE-2017-7533 and 28 days for CVE-2017-1000255. While this is >> useful info, it does not reflect (linux-)distros' lists performance as >> it includes embargo periods from prior to disclosure to those lists. >> Also, we can't reliably know of such prior embargo periods, so our data >> would be inconsistent, which is especially bad for calculating averages. > It is calculated from first report on distros list, that said, for > CVE-2017-1000255 there was some missing data for first publication (it > is public through > https://access.redhat.com/security/cve/CVE-2017-1000255 and > http://www.securityfocus.com/bid/101264 since 9th), so the publication > time is 5.97 days (although not for oss-security posting). > Tracked down the -7533 issue as well, it was a fat-finger in the data. The wiki page is updated with correct info. But the new table is: Date All Number of reports 24 Average embargo time (first public) 5.84 Average embargo time (oss-security) 6.95 2017-06 2017-07 2017-08 2017-09 2017-10 1 3 6 9 5 10.84 4.69 6.39 5.83 4.90 14.16 5.03 6.39 5.84 9.31 -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 Download attachment "distros-stats.png" of type "image/png" (30426 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ