Security Portal: Linux vs Microsoft: Who solves security problems faster?Jan 17, 2000, 17:08 (11 Talkback[s])
"It is an article of faith among Open Source software advocates that the freely available source code of Linux makes it easier to identify and patch bugs than Closed Source software and hence provide greater overall systems security. But is there factual evidence behind this, or is it just a theory? After all, according to theory, a bumblebee shouldn't be able to fly, but I have been stung several times! We decided to go look for empirical evidence of the impact of Open Source software upon the speed at which vulnerabilities can be patched."
"Despite the loftiness of our goal, there are far too many difficult-to-quantify factors and we cannot claim this to be a scientific pursuit. Any veteran of this industry will tell you that you really can't prove security. However, by narrowing the scope of our research to common data elements in the bug fix process, it is possible to find some meaningful answers to the question of bug fix speed."
"What we decided to do was to look at the security advisories issued by Microsoft and Red Hat in 1999 and gauge the time lag between the point of a "general community awareness" of a security problem and the point at which a patch was released. We also threw Sun Microsystems into the mix for comparison's sake...."