|
Posted by on December 24, 2004, 6:11 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi all,
Holiday season greetings.
I am a PhD student at Princeton studying security. I am
interested in studying vulnerability statistics. I am interested in
answering questions like:
1. Which are the programs where bugs are found often?
2. Which vendors tend to be frequently affected?
3. What are the common vulnerabilities (buffer overflows I guess)?
4. How often are patches available before a vulnerability is publicly
disclosed?
5. How much time does it take for a typical vendor to patch the bug?
How
diligent are various vendors regarding releasing patches?
6. What are the OS specific statistics?
7. How diligent are users/administrators regarding patching? In some
cases
there might be genuine reasons why you cannot patch (loss of
availability
etc.). I am aware of "Security holes... Who cares?" by Eric Rescorla.
8. Have there been situations when a patch has not been available for a
long time, say more than a month.
.
..
.
..
.
I am primarily interested in seeing how fast the patches are out. I am
more interested in knowing about those situations when a patch is not
available fast. What did people do to avoid getting hit? I would
appreciate some concrete examples. So I am mostly interested in
questions
4, 5, and 8.
Has someone already studied these patterns? Can the community refer me
to
some useful links? I would appreciate concrete examples and a
quantitative analysis. I have talked to a few system administrators.
But I am confused whether patch availability is indeed a problem.
Unfortunately, the answer is specific to what software you are running
and
the answer tends to be subjective.
Thanks in advance,
Regards,
Sudhakar.
http://www.cs.princeton.edu/~sudhakar
| 
XML site map