Vulnerability Count

[Digital Wokan]

"John (EBo) David" wrote:
> George Toft wrote:
> > So here I was, surfing Security Focus, and I noticed they track every
> > vulnerability for Windows, Solaris, and Linux.  I put this page
> > together:
> > http://georgetoft.com/security/survey/index.shtml
> > to count the vulnerabilities.  Why spend 5 minutes counting when I can
> > write a script in an hour to do the same thing?  Because it is as
> > current as Security Focus.
> >
> > Interesting numbers - they directly contradict Microsoft's statements
> > about their security.  No Linux bias here, nosiree!  That's why I
> > chose a vendor-neutral site for my data.
> 
> hmmm... are there any statiticians out there who could suggest a decient
> set of metrics that normalizes the number of vulnerabilities over time?
> something like
> 
> OS                      Raw_Count    Years_in_service
> vulnerability_index (v/year)
> Microsoft Windows 2000:   172               1.5                 114.67
> Solaris                   162               7.0                  23.14
> ...
> 
> It would also be nice if you could plot the frequency of vulnerabilities
> over time and compare a single graph...
> 
>   EBo --

A breakdown of remotely exploitable vs locally exploitable would be
good, too.