“It is an article of faith among Open Source software
advocates that the freely available source code of Linux makes it
easier to identify and patch bugs than Closed Source software and
hence provide greater overall systems security. But is there
factual evidence behind this, or is it just a theory? After
all, according to theory, a bumblebee shouldn’t be able to fly, but
I have been stung several times! We decided to go look for
empirical evidence of the impact of Open Source software upon the
speed at which vulnerabilities can be patched.”
“Despite the loftiness of our goal, there are far too many
difficult-to-quantify factors and we cannot claim this to be a
scientific pursuit. Any veteran of this industry will tell you that
you really can’t prove security. However, by narrowing the scope of
our research to common data elements in the bug fix process, it is
possible to find some meaningful answers to the question of bug fix
speed.”
“What we decided to do was to look at the security advisories
issued by Microsoft and Red Hat in 1999 and gauge the time lag
between the point of a “general community awareness” of a security
problem and the point at which a patch was released. We also threw
Sun Microsystems into the mix for comparison’s sake….”