Bug fix scorecard
by Ruth Suehle
The score is Linux: lots, Microsoft: zero
A Microsoft vulnerability report suggests that Microsoft wasn’t able to fix more Windows flaws than the number of open software flaws fixed by the major open source companies. Red Hat, having forty times less employees than Microsoft, did the best job, by fixing and closing the most security bugs, also closing even minor bugs - where Microsoft didn’t even fix one minor bug in the same period.
Read the vulnerability report.
August 23rd, 2007 at 3:30 am
Excellent reverse spin on Microsoft’s data! This just goes to show that Microsoft is spinning data to make its products look good. Jeff Jones should stop pretending he’s a security guy and proclaim himself as Microsoft’s marketing guru, their UberFUDMeister!
August 24th, 2007 at 4:59 pm
So, uh, is Microsoft’s numbers so low because substantially fewer vulnerabilities were discovered, or was it because they are slow to fix things. From other posts on Jeff’s blog concerning days of vulnerability, MS also comes out in the lead, suggesting that they are fixing the bugs as they arise rather than avoiding fixes.
Also, isn’t it a bit misleading to suggest that Red Hat, with 1/40th the employees is actually fixing all of those vulnerabilities. I mean, shouldn’t some credit go to the FOSS community that also contributes to fixing vulnerabilities rather than giving redhat all of the credit.
August 24th, 2007 at 10:04 pm
Ummm. So since Red Hat had more vilnerabilities than Microsoft, they did a better job?? That’s the way to spin it.
Now if they had the same vulnerabilities discovered and one fixed more than the other, then that is a win. Otherwise Windows Vista is the clear winner here for not having much to fix.
August 28th, 2007 at 12:03 am
Vista not having much to fix? Or isn’t it more like they don’t announce everything they try to fix? Microsoft has a history of not disclosing bugfixes (see “Skeletons in Microsoft’s Patch Day closet”; http://blogs.zdnet.com/security/?p=316) and this controversial practice will definitely skew Jeff’s numbers. That renders Jeff’s “scorecard” practically useless.
September 18th, 2007 at 4:04 pm
This post looks like FUD to me or at least its a great example statistics published in an incomplete manner. The same data published as a ratio of fixes by category to bugs found would tell the story more accurately. Maddog’s post addresses the other reason this comparison is likely invalid.
October 16th, 2007 at 2:45 pm
[…] I saw this post from Jeff Jones over at Microsoft today. He mentions that Red Hat Enterprise Linux 4 recently patched their 1000th vulnerability, and provides a quote from Truth Happens(direct link to post), which is a Red Hat blog. I suggest you at least read Jeff’s post, since he quotes the relevant point of the Truth article. […]
October 16th, 2007 at 8:09 pm
You guys are amazing, thinking that fixing more bugs is a good thing. What are you doing to reduce the number of security bugs in the first? Shipping junk, and fixing lots of bugs later is simply “cowboy coding” and nothing to be proud of.
October 16th, 2007 at 9:34 pm
[…] Jeff Jones posted a blog entry to celebrate Red Hat fixing their 1000th unique security vulnerability. He also draws attention to a Red Hat post on their “Truth Happens” blog back in August, which itself quotes a post on Lxer.com. […]