June 18, 2007

real world security

There are lots of bogus security metrics out there, not the least of which is the often quoted number of vendor disclosed patched vulnerabilities. I've complained about this being used as a primary metric in the past and suggested that a more important metric was the time it takes a vendor to fix the problem.

Window adds another piece to that by talking about the time it takes to actually deploy the fix to users. This is an area where Firefox does a pretty amazing job, and as you can see from Window's post, we're getting better with each release.

Quickly fixing bugs and getting fixes in the hands of as many users as possible is a major cornerstone of our approach to security. No software of any complexity is bug free and with so much money to be made and havoc to be created, the bad guys are going to find and exploit software flaws. Our ability to update the overwhelming majority of Firefox users in just a few days is pretty amazing and means that our users are going to be some of the most secure on the Web.

Posted by asa at 4:56 PM