Web Browser Security Summary (Corrections)
Asher
Explorer only has 19 reports (not 31) and only 1 high severity
vulnerability report (not 2). This of course would alter other values
as well, such as the mean and median average per day. Am I correct, or
am I misunderstanding?
Nanobot
considered unfixed if the vulnerability report does not have a complete
vendor patch." Secunia's 19 figure is only the number of "unpatched"
advisories, not including "partially fixed" and "vendor workaround"
advisories. My reason for including these advisories is that the
security issues still exist in the program, even if they are fixed just
for certain situations or if the user can manually disable something in
order to avoid exposure to the issue (which most users don't do and
can't reasonably be expected to do).
For reference, here are the actual data files that are used on the
security summary page:
http://www.webdevout.net/include/security/msie.txt
http://www.webdevout.net/include/security/firefox.txt
http://www.webdevout.net/include/security/opera.txt
Column 1: Criticality
Column 2: Date published
Column 3: Date of official patch release with complete fix
Column 4: Number of vulnerabilities in the advisory
Column 5: Date of exploit or public working proof of concept
Column 6: Date the exploit was circumvented through a vendor action
without the need for a user action (for instance, for Secunia advisory
15292 <http://secunia.com/advisories/15292/>, the primary attack vector
was changed remotely to prevent the exploit until the next version, in
which the vulnerability was fixed)
Asher
the way you are doing it.
Just to make sure - the "high severity vulnerability reports" on the
tables are ones rated either "extremely critical" or "highly critical"
by Secunia, right?