One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8221936 |
| Date de publication | 2022-08-23 11:50:56 (vue: 2022-11-25 18:05:33) |
| Titre | A walk through Project Zero metrics |
| Texte | Posted by Ryan Schoen, Project Zerotl;drIn 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days 3 years ago.In addition to the average now being well below the 90-day deadline, we have also seen a dropoff in vendors missing the deadline (or the additional 14-day grace period). In 2021, only one bug exceeded its fix deadline, though 14% of bugs required the grace period.Differences in the amount of time it takes a vendor/product to ship a fix to users reflects their product design, development practices, update cadence, and general processes towards security reports. We hope that this comparison can showcase best practices, and encourage vendors to experiment with new policies.This data aggregation and analysis is relatively new for Project Zero, but we hope to do it more in the future. We encourage all vendors to consider publishing aggregate data on their time-to-fix and time-to-patch for externally reported vulnerabilities, as well as more data sharing and transparency in general. Overview For nearly ten years, Google’s Project Zero has been working to make it more difficult for bad actors to find and exploit security vulnerabilities, significantly improving the security of the Internet for everyone. In that time, we have partnered with folks across industry to transform the way organizations prioritize and approach fixing security vulnerabilities and updating people’s software. To help contextualize the shifts we are seeing the ecosystem make, we looked back at the set of vulnerabilities Project Zero has been reporting, how a range of vendors have been responding to them, and then attempted to identify trends in this data, such as how the industry as a whole is patching vulnerabilities faster. For this post, we look at fixed bugs that were reported between January 2019 and December 2021 (2019 is the year we made changes to our disclosure policies and also began recording more detailed metrics on our reported bugs). The data we'll be referencing is publicly available on the Project Zero Bug Tracker, and on various open source project repositories (in the case of the data used below to track the timeline of open-source browser bugs). There are a number of caveats with our data, the largest being that we'll be looking at a small number of samples, so differences in numbers may or may not be statistically significant. Also, the direction of Project Zero's research is almost entirely influenced by the choices of individual researchers, so changes in our researc |
| Envoyé | Oui |
| Condensat | however most on over the their 104 109 199 2019 2020 2021 294 346 351 376 able about above accelerated their acceleration across action actors addition additional adherence admittedly adobe affects after again aggregate aggregate data ago all almost also amount analysis analyze android annual any apache appears apple apples application approach apps are aren ares around aswf attackers attempted authoring available avast average avg aware aws back bad bars baseline become been before began behaviors being believe below best better between big blue break browser browsers bucket bug bugs build bulk but cadence can canonical case caveat: caveats change changes channel chart choices chrome clear clustered code collaboration collectively column: come comes coming committing company compared comparison comparison: completeness conditions confirms consequences consider consistently contextualize continue corresponds could crunching currently cut cycle data data aggregation day days deadline deadlines december decreasing delays design designed desktop despite detailed determine development did differences differing difficult difficulties dig direction disclose disclosure disclosure does done down dreams dropoff due during duringgrace each ecosystem effectively emerging encourage encouraged end engine entirely equipped especially established etc even every everyone exceeded except existing experiences experiment exploit exposure external externally extraordinarily facebook facetime fact facto faq fast faster fastest finally find finding firefox first fix fixed fixed; fixes fixing flavor focus focusing folks follow forward frequent from further future general generally git github give glibc gnupg gnutls going google google’s grace graph gstreamer half hand happen haproxy hard has hashicorp have having help here high highest histogram hit hope hopefully hopes housed how identify imbalance imessage implementing important impressively improving include included includes increasing individual industry influenced information insidesecure insight intel intentionally internal internet ios issue issues issues to its january just kubernetes lack land landed landing largest learn learned leaves left level libseccomp libx264 lifecycle linux little logmein long longest look looked looking love lower made majority make mark marked may meet met metrics microsoft middle might missed missing mobile monthly more most mostly moving mozilla much nearly needed new next node not notably note note: now number numbers objective often on the once one only open opencontainers operating opportunistic oracle organizations other others others* out outlier outliers over overall overview own par part particular partnered passed past patch patched patches patching people’s per perhaps period periods permitted phone phones picture pixel place plan platform play pleased plus points policies possible post posted practices presentation previous prior prioritize procedures processes product products progress project promising provide public publicly publish publishing push qualcomm quick quicker quickly range rapid rapidly rate rather react receive received receives recent recording red redhat reduce reduced reducing reduction referencing reflection reflects relatively release released releases releasing reliable reliance remain remaining remarkably report reported reporting reports repositories represented represents request required research researcher researchers responding responsible right risk ryan safari/webkit safer same sample samples samsung schoen sctplabs second section security see see:only seeing seen segment selection set share sharing shift shifts ship shipped shipping ships show showcase shows side signal significant significantly similar since size slice slightly slowing small software some source span specific specifically: specifics sped speed spent spread stable standalone standard stat statistically store story streamline subjective such suspect switch system systemd |
| Tags | Vulnerability Patching |
| Stories | Uber |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.