Comments on: IBM report: Vulnerabilities still going unpatched

IBM X-Force report finds many disclosed vulnerabilities are unpatched years later and that Microsoft is the vendor with the highest percentage of disclosed holes.

[GajaKannan]

Sounds like cumulative vulnerabilities disclouse by Microsoft (XP, Vista, 2000, 2003 server and 2008) is 24.7% Vs Apple (OS X server and OS X) is 28.6%... Given the foot print of Windows Vs Apple, this sounds a heck a lot of issues with Apple... Is this really true? Also Windows versions seem to cover from 2000 (except 'Me'), Apple, Solaris, IBM and Linux all show few or no break down on how old the versions are... Any real breakdowns?

[Seaspray0]

I agree. Was there a breakdown by revision? How the vulnerability counts were obtained is vague in this article.

[quux]

"While Microsoft is the vendor that tops the list in percentage of vulnerabilities disclosed ..."

Please clarify. Did you switch to a plain list of disclosed vulns at this point in the article, or did you mean to continue speaking of vulnerabilities disclosed *but not patched* ?

[elinormills]

That refers to disclosed vulnerabilities and not unpatched ones. I'll clarify it in the article.

[captainabab]

Does the first list (Vendors with the most vulnerabilities disclosed in 2008) include ALL software from that vendor? (OS / Apps / Servers / IDEs etc.)

I assume so as Oracle, Mozilla, Drupal, Joomla! are on that list and they don't make operating systems.

If so, that is a meaningless unless it is divided by the amount of software measured. So Microsoft makes the top of the list because it makes a wide variety of software. I also assume some of the Linux vendors get a break here because many Linux vulnerabilities are non-vendor specific.

I would be more concerned about a vendor (Joomla!) that makes one product (a CMS) being only one percent behind a vendor like Microsoft that makes mobile, client & server operating systems, desktop applications, database servers, email servers, internet servers, browsers, a CMS (SharePoint), IDEs and other programming tools and runtimes, Mac software, Enterprise apps (Dynamics), security tools, entertainment software / games, etc.

[SneezingPanda]

The link to the source in the article would be helpful. For the interrested : http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf

[AmyStephen]

I'm shocked! To the best of my knowledge, this is the second year now that IBM has published such claims against free software projects without contacting the projects to disclose specific problems.

It's not difficult to locate contact information. Google Security Project Name and links are at the top.

- Drupal - http://drupal.org/security
- Joomla! - http://developer.joomla.org/security.html
- Typo 3 - http://typo3.org/teams/security/

This is corporate bully-ism at it's finest. If IBM wants to increase software security, step one is contacting those people with these so-called known issues so that they can bring necessary improvements. Then, if your PR guys insist on credit, contact the media and blow your own horn.

For 25 years, I've always been a fan of Big Blue. Shame on you, IBM!

[elinwaring]

The problem with this list, is that it punishes applications for disclosing vulnerabilities. The Joomla! project is committed to disclosing security issues along with providing patches as soon as we can when a vulnerability is brought to light. I am proud to say that Joomla! has 100% disclosure of vulnerabilities and 100% patched.

Many of the vulnerabilities patched this year never resulted in a single problem because they were discovered by community members who brought them to the attention of the security team. That is how community driven open source development works. That is how transparency and education about security makes applications more secure. Openness is also how we get our user community to understand the need to update when a security release is made. Being open with our user and developer community about issues that are discovered is a good thing, and I cannot understand why IBM would seek to discourage it.

For a great example of how open source projects such as Joomla! respond to security issues, take a look at this article.
http://developer.joomla.org/coordinator-blog/245-how-joomla-156-came-about.html

From the last lines

Total time from report of vulnerability to initial release: 2 hours 50 minutes

Total time from report of vulnerability to completion of release cycle completion: 3 hours 40 minutes

Total number of people directly involved: between 20 and 30

I think Joomla! has plenty to be proud of when it comes to how it handles vulnerabilites.