lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: dilabox at gmail.com (dila)
Subject: Any study on patch availability?

http://secunia.com/advisory_statistics/

ever heard of google?


On Sun, 26 Dec 2004 12:26:17 -0500 (EST),
sudhakar+fulldisclosure@...princeton.edu
<sudhakar+fulldisclosure@...princeton.edu> wrote:
> 
> Hi all,
> 
> Holiday season greetings.
> 
> I am a PhD student at Princeton studying security. I am interested in
> studying vulnerability statistics. I am interested in answering questions
> like:
> 
> 1. Which are the programs where bugs are found often?
> 
> 2. Which vendors tend to be frequently affected?
> 
> 3. What are the common vulnerabilities (buffer overflows I guess)?
> 
> 4. How often are patches available before a vulnerability is publicly
> disclosed?
> 
> 5. How much time does it take for a typical vendor to patch the bug?
> How
> diligent are various vendors regarding releasing patches?
> 
> 6. What are the OS specific statistics?
> 
> 7. How diligent are users/administrators regarding patching? In some cases
> there might be genuine reasons why you cannot patch (loss of availability
> etc.). I am aware of "Security holes... Who cares?" by Eric Rescorla.
> 
> 8. Have there been situations when a patch has not been available for a
> long time, say more than a month.
> 
> .
> .
> .
> .
> .
> 
> I am primarily interested in seeing how fast the patches are out. I am
> more interested in knowing about those situations when a patch is not
> available fast. What did people do to avoid getting hit? I would
> appreciate some concrete examples. So I am mostly interested in questions
> 4, 5, and 8.
> 
> Has someone already studied these patterns? Can the community refer me to
> some useful links? I would appreciate concrete examples and a quantitative
> analysis. I have talked to a few system administrators. But I am confused
> whether patch availability is indeed a problem. Unfortunately, the answer
> is specific to what software you are running and the answer tends to be
> subjective.
> 
> Thanks in advance,
> Regards,
> Sudhakar.
> 
> Sudhakar Govindavajhala                   Department of Computer Science
> Graduate Student,                         Princeton University
> Ph : (lab) +1 609 258 1763                   (office) +1 609 258 1798
>                http://www.cs.princeton.edu/~sudhakar
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ