Linux Backers Question CERT Vulnerability Stats

A recent report from the Computer Emergency Readiness Team that said Linux and Unix combined have 2,328 security vulnerabilities has been the target of major criticism from Linux supporters.

Johanna Ambrosio, Tech Journalist

February 3, 2006

1 Min Read
InformationWeek logo in a gray background | InformationWeek

A recent report from the Computer Emergency Readiness Team that said Linux and Unix combined have 2,328 security vulnerabilities has been the target of major criticism from Linux supporters.

The numbers are inflated because they count the same vulnerability each time it appeared last year in any given Linux distribution, the operating system's backers say. The CERT stats also appear to include problems with scripting languages such as PHP or applications that aren't part of the core Linux operating system.

The CERT numbers also may include multiple reports for the same bug, a common problem in the open-source community, says David Humphrey, a senior technology adviser for the Ekaru consulting firm. In the open-source world, a bug report isn't only issued anytime something is discovered, but frequently at each stage of the fix, he says. That contrasts with Microsoft's approach, which typically reports a bug once, after it's been corrected.

"I don't think that you can accurately draw conclusions from the CERT report," says Dave Rosenberg, senior analyst at the Open Source Development Labs, a vendor consortium that helps maintain the core Linux kernel. "This report doesn't provide any beneficial information for CIOs or IT staff making security decisions." CERT spokesmen didn't return numerous phone calls seeking comment on the organization's counting methodology.

Return to main story, Is Linux Next?

Read more about:

20062006

About the Author

Johanna Ambrosio

Tech Journalist

Johanna Ambrosio is an award-winning freelance writer specializing in business and technology. She has been a reporter and an editor in the computer industry for over 25 years, covering virtually every technology topic, starting with 'office automation' in the 1980s, as well as management issues including ROI and how to attract and retain talent. Her work has appeared online and in print, in publications including Application Development Trends, Government Computer News, Crain's New York Business, Investor's Business Daily, InformationWEEK, and the Metrowest Daily News. She formerly worked at Computerworld, for which she held various positions, including online director. She holds a B.S. in technical writing from Polytechnic University in Brooklyn, N.Y., now the Tandon School of Engineering of New York University. She lives with her husband in a Boston suburb. Johanna's samples of her work are at https://www.clippings.me/jambrosio.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights