lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.51.0604031645340.16296@faron.mitre.org>
Date: Mon, 3 Apr 2006 16:50:45 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Gadi Evron <ge@...uxbox.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: On product vulnerability history and vulnerability complexity



On Mon, 3 Apr 2006, Gadi Evron wrote:

> Looking at Microsoft's software of today, it is extremely well-written
> and professional. Far beyond that of most others. Finding
> vulnerabilities in them is extremely difficult. Most vulnerabilities you
> will find will be logical in nature and not easy.

A researcher mentioned to me offline that it takes a lot more time to find
vulnerabilities in such software.  This could be another quantitative
indicator, although it would be highly variable depending on each
individual researcher's methods and tools.

> That is key, as today's data is very lacking to base much on. But we use
> what we have, right?

Until we start to collect what we should.  Disclosure timelines weren't
that common a few years ago, and now there's a virtual goldmine of data
waiting for some enterprising person to examine notification-to-patch
timelines as well as overall vendor responsiveness.

- Steve


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ