On Mon, 3 Apr 2006, Gadi Evron wrote: > Looking at Microsoft's software of today, it is extremely well-written > and professional. Far beyond that of most others. Finding > vulnerabilities in them is extremely difficult. Most vulnerabilities you > will find will be logical in nature and not easy. A researcher mentioned to me offline that it takes a lot more time to find vulnerabilities in such software. This could be another quantitative indicator, although it would be highly variable depending on each individual researcher's methods and tools. > That is key, as today's data is very lacking to base much on. But we use > what we have, right? Until we start to collect what we should. Disclosure timelines weren't that common a few years ago, and now there's a virtual goldmine of data waiting for some enterprising person to examine notification-to-patch timelines as well as overall vendor responsiveness. - Steve
