From owner-freebsd-chat Mon May 15 12:21: 0 2000 Delivered-To: freebsd-chat@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 4152F37B6A1 for ; Mon, 15 May 2000 12:20:56 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id PAA54516 for freebsd-chat@freebsd.org; Mon, 15 May 2000 15:20:53 -0400 (EDT) (envelope-from cjc) Date: Mon, 15 May 2000 15:20:53 -0400 From: "Crist J. Clark" To: freebsd-chat@freebsd.org Subject: BUGTRAQ Vulnerabilities Stats Message-ID: <20000515152053.A54495@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was just having a look at the statistics compiled at, http://www.securityfocus.com/vdb/stats.html Of the BUGTRAQ vulnerabilities for the past three years. For those interested, FreeBSD is one of those included on the list. For all of the OSs, you need to consider how much they are deployed (someone, whitehat, blackhat, or a designer's own engineers, needs to find the hole first) and what roles they fill (how many webservers are running under MacOS?) before taking shear number of reports as indication of the software's quality. There are no big shocks to me. WinNT easly tops the list with "Linux" pulling up not too far behind. "Linux" is not surprising since it is an aggregation of various distributions. Debian and RedHat are singled out and have much lower numbers when looked at individually. FreeBSD has the most of the *BSD listed (Free, Net, and Open) with 1999 having quite a spike (but almost all OSes have a spike in '99). The big 2.2 to 3 jump is probably a big part of that. That FreeBSD has more than OpenBSD is no suprise given that OpenBSD's primary goal is security. That it has more than NetBSD may be accounted for by FreeBSD being more widely deployed with more aggressive development? Or is NetBSD more security conscious? I don't have enough feel for what's up with NetBSD to say. Anyway, I just found the info at SecurityFocus interesting and wondered if anyone out there had any brilliant insights into the stats... Or any brilliant reasons why the numbers are meaningless. Better yet, anyone have more thorough cites for security comparisons among a broad range of OSes (not the old NT versus "UNIX" ones please). -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message