From owner-freebsd-advocacy  Sun Jun  4 23:42:58 2000
Delivered-To: freebsd-advocacy@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id C7F9237B820; Sun,  4 Jun 2000 23:42:20 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
Received: from localhost (kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id XAA49230;
	Sun, 4 Jun 2000 23:42:20 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs
Date: Sun, 4 Jun 2000 23:42:20 -0700 (PDT)
From: Kris Kennaway <kris@FreeBSD.org>
To: Nicolas <list@rachinsky.de>
Cc: Matt Heckaman <matt@ARPA.MAIL.NET>,
	FreeBSD-ADVOCACY <freebsd-advocacy@FreeBSD.ORG>
Subject: Re: FreeBSD/Solaris
In-Reply-To: <02e301bfce62$9b4e73b0$7d0a36d5@gottt>
Message-ID: <Pine.BSF.4.21.0006042334480.47848-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-advocacy@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sun, 4 Jun 2000, Nicolas wrote:

> Aggregate stats for 3 years of Bugtraq are now available.
> 
> Ever wanted to know which operating systems and applications have the most
> reported security vulnerabilities? Are there more known vulnerabilities in
> Windows NT or Linux?
> 
> http://www.securityfocus.com/frames/?content=/vdb/stats.html
> 
> end of copy
> 
> I hope this is what you are looking for.

Actually these numbers are slightly misleading in this context: they
include with FreeBSD some port vulnerabilities as well (plus they're only
based on vulnerabilities collected from those reported to bugtraq, so
they're necessarily incomplete). But even so, Solaris is way "ahead" of
FreeBSD in the list.

Speaking as one of the FreeBSD security officers, we are pretty good at
reporting holes which are internally discovered (i.e. not disclosed in
public by someone else), but I can't say the same about Solaris - most of
their advisories seem to be in response to exploits published in bugtraq,
thereby "forcing their hand".

There's also the fact that Solaris are *still* having root exploit after
root exploit found because of failure to audit their vulnerable code.

I must admit I have a bit of a soft spot for Solaris, but it's certainly
not because of their attention to security.

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-advocacy" in the body of the message