Linux Backers Question CERT Vulnerability Stats
A recent report from the Computer Emergency Readiness Team that said Linux and Unix combined have 2,328 security vulnerabilities has been the target of major criticism from Linux supporters.
A recent report from the Computer Emergency Readiness Team that said Linux and Unix combined have 2,328 security vulnerabilities has been the target of major criticism from Linux supporters.
The numbers are inflated because they count the same vulnerability each time it appeared last year in any given Linux distribution, the operating system's backers say. The CERT stats also appear to include problems with scripting languages such as PHP or applications that aren't part of the core Linux operating system.
The CERT numbers also may include multiple reports for the same bug, a common problem in the open-source community, says David Humphrey, a senior technology adviser for the Ekaru consulting firm. In the open-source world, a bug report isn't only issued anytime something is discovered, but frequently at each stage of the fix, he says. That contrasts with Microsoft's approach, which typically reports a bug once, after it's been corrected.
"I don't think that you can accurately draw conclusions from the CERT report," says Dave Rosenberg, senior analyst at the Open Source Development Labs, a vendor consortium that helps maintain the core Linux kernel. "This report doesn't provide any beneficial information for CIOs or IT staff making security decisions." CERT spokesmen didn't return numerous phone calls seeking comment on the organization's counting methodology.
About the Author
You May Also Like