They talk about "average days of risk". First we have to define "days of risk". Simply put it would be defined as the time between when the vulnerability is announced to the world and when the software is patched.
In Microsofts world a vulnerability is found in two ways. 1) None M$ employee(hacker, user, admin, ect..), or 2) a Microsoft developer. If you were Microsoft and found a vulnerability when would you announce it? Not until you atleast had a patch in the works (and during that unknown length of time hope to god that someone else does not find that vulnerability). Thus the days the vulnerability is know about and the actual days of risk are skwed.
In the linux world who finds these vulnerabilities? 1) The linux community. If the community finds a vulnerability , the announcement is made immediatly and thus a patch is in the works immediatly.
So to put it simply, you can't compare "days of risk" between linux and windows because the process of discovery and resolution is different between the two Operating Systems.
Side note: I have not looked at what kind of vulnerabilities were talked about, but the majority of linux vulnerabilities rely on local user access. This is not so for Windows. So I'm curious how they messure "levels of risk".
Slashdot Mirror
They talk about "average days of risk". First we have to define "days of risk". Simply put it would be defined as the time between when the vulnerability is announced to the world and when the software is patched.
In Microsofts world a vulnerability is found in two ways. 1) None M$ employee(hacker, user, admin, ect..), or 2) a Microsoft developer. If you were Microsoft and found a vulnerability when would you announce it? Not until you atleast had a patch in the works (and during that unknown length of time hope to god that someone else does not find that vulnerability). Thus the days the vulnerability is know about and the actual days of risk are skwed.
In the linux world who finds these vulnerabilities? 1) The linux community. If the community finds a vulnerability , the announcement is made immediatly and thus a patch is in the works immediatly.
So to put it simply, you can't compare "days of risk" between linux and windows because the process of discovery and resolution is different between the two Operating Systems.
Side note: I have not looked at what kind of vulnerabilities were talked about, but the majority of linux vulnerabilities rely on local user access. This is not so for Windows. So I'm curious how they messure "levels of risk".