Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Long Does it Take Vendors to Release Patches?

Posted by Cliff on from the anyone-got-a-stopwatch dept.

MasterMynd asks: "In the IT field I'm frequented with questions regarding security updates of the OS's that we use. In my IT department we use a real mixture of OS's for desktops in addition to our many NOS's. More often then not I don't have an answer as to the routine question of how soon a security patch will be available. Normally I give "It should be done in about a week" as my answer. But truth remaining I don't have any answer as to when it will be available because vendors aren't forthcoming about such info. Rumours and anecdoes abound in how long it normally takes to get a patch. Are there any current reports anywhere showing a comparison of how much time it takes to produce a patch or workaround from the time it's discovered until it's available for download, from the major NOS & Desktop vendors?" Ask computer security becomes more and more important, such resources will become invaluable. Any clues as to where such may be found?

4 of 6 comments (clear)

  1. easy by DrSkwid · · Score: 1

    it's one day for each inch in this piece of string I have here in my desk drawer!

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  2. Honesty is the best policy by Anonymous Coward · · Score: 1, Insightful
    More often then not I don't have an answer as to the routine question of how soon a security patch will be available. Normally I give "It should be done in about a week" as my answer. But truth remaining I don't have any answer as to when it will be available because vendors aren't forthcoming about such info.

    How about a more honest "I don't know because the vendor hasn't announced a schedule." Or, "I'll install the patch as soon as it is available."

  3. Securityfocus study by pthisis · · Score: 2

    Securityfocus did this sort of study.

    I can't find the whole thing, but there's
    a summary at linux weekly news, and googling for "days recess security focus microsoft linux" or similar might help (days of recess is a measure of response time).

    Sumner

    --
    rage, rage against the dying of the light
  4. Patch vs. disclosure by ezs · · Score: 1

    My own view is that the software vendor should release 'timely' patches - in many cases less than one week is good going (Apple patches OSX); in other cases a major architectural change may be required which would lead to a 'workaround' until fixed. I suppose this really comes back to the key question of how security defects/exploits are reported - to the vendor in a responsible manner, to the vendor under a "less open" mechanism (ahem - see /. past, present and future) or directly to the net at large.

    --
    Evil ZEN Scientist