[Info-vax] Industry timescale trends for fixing vulnerabilities
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Mon Feb 14 13:56:07 EST 2022
An interesting report from Google Project Zero shows that the
industry is moving towards quicker response times when fixing
vulnerabilities (and deploying the fixes).
It is taking an average of 52 days to go through the fixing process
and the Linux security people are way out front with an average fix
time of just 25 days.
The report itself is here:
https://googleprojectzero.blogspot.com/2022/02/a-walk-through-project-zero-metrics.html
and the Register's summary is here:
https://www.theregister.com/2022/02/14/in_brief_security/
This is directly applicable to VSI as this is the world they are
now working in and are the kind of timescales that vulnerabilities
will be fixed in (and even reports about possible security issues in
general are examined) that is now expected these days.
BTW, Google allow a vendor a maximum of 90 days to fix the issue,
along with an additional grace period of 14 days, before they disclose
the vulnerability details.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
More information about the Info-vax
mailing list