Posted by Adam Mein, Google Security Team issued a correction to address the inaccuracies.terminology mix-up . As a result, the true unpatched rate for these high-risk bugs is 0 out of 2, or 0%.Vendors disclose their vulnerabilities in inconsistent formats, using different severity classifications. This makes the process of measuring the number of total vulnerabilities assigned to a given vendor much more difficult. Assessing the severity, scope, and nature of a bug sometimes requires intimate knowledge of a product or technology, and this can lead to errors and misinterpretation. Keeping the fix status updated for thousands of entries is no small task, and we’ve consistently seen long-fixed errors marked as unfixed in a number of databases. Not all compilers of vulnerability databases perform their own independent verification of bugs they find reported from other sources. As a result, errors in one source can be replicated to others.
Follow
댓글 3개 :
Hey Adam,
Is there an email address I can contact you at?
I am involved in doing vulnerability trends research but have also a team that works on a vulnerability database. There's a couple points in your article I'd like to discuss with yourself and Google.
Adam,
You highlight some good points. In addition to transparency, I would like to suggest that compilers create a sort of feedback loop with customers with whom they are sharing the reports. The lack of feedback loop or a channel to further probe into the vulnerability leaves the customers to decipher the report on their own without having an intimate knowledge of the product design or the how the report was compiled.
Thanks,
Saqib
David,
You can contact the Google Security Team at security@google.com. All best,
Jay
Google Communications
댓글 쓰기