Secunia released a report this week that discusses a few aspects of the security landscape for 2007. Techworld ran a story based on this report with this headline: “Red Hat and Firefox more buggy than Microsoft.” While the headline is misleading, the Techworld article actually tells an interesting story.
Counting security vulnerabilities to compare the security of different software projects is flawed. It is only a useful metric if you are comparing a project to itself over time. I’ve discussed this topic here and here. It’s even more ridiculous to try and compare an open source bug count to a closed source project because you can see all the bugs in an open source project. You can only see the publicly found security issues for a closed source product, like Internet Explorer.
So what is interesting in the Techworld article is the measures of real risk to users:
“‘[Z]ero-day’ security bugs in Firefox were patched more quickly than in Microsoft Internet Explorer…”
“[I]n an examination of zero-day flaws – reported by third parties before a patch was available – Secunia found that Firefox tended to get more patches, sooner, compared to IE.”
“Out of eight zero-day bugs reported for Firefox in 2007, five have been patched, three of those in just over a week. Out of 10 zero-day IE bugs, only three were patched and the shortest patch time was 85 days.”
At Mozilla we work as hard as we can to ship fixes as soon as possible to minimize the exposure to our users. It is great to see that the efforts we are making to minimize risk to users are paying off.