Mailing lists identify the most security flaws

A senior Red Hat software engineer has argued that members-only security mailing lists are still the best way of discovering information about security vulnerabilities in software.

In his blog, Mark Cox, a consulting engineer at Red Hat, said it had been gathering data on the sources of vulnerability information since March 2005. During that period, Red Hat learned of one third of the vulnerabilities from reports on the Vendor-sec mailing list, which can be read only by individuals who pass a vetting process. A further 23 percent came from contacts with the developers of software included in Red Hat products, such as the Apache Software Foundation.

However, the Cox blog shows there is still much valuable information to be gleaned from open-mailing lists, such as the Full Disclosure list, which can be read by anyone without passing a vetting procedure. Such lists are often criticised for containing too much useless information.

Interestingly, Red Hat staff themselves discovered seven percent of vulnerabilities. While this figure is only a small percentage of the total, it demonstrates that Red Hat invests its own resources to identify flaws. Commercial software vendors such as Microsoft have yet to disclose similar data relating to their own products.

The Cox blog said that form March 2005 until last week, developers fixed 336 vulnerabilities in code shipped by Red Hat. However, it is not easy to compare the total vulnerabilities against totals for other operating systems, because some of those vulnerabilities affected optional components that would not be installed by every user, and some vulnerabilities were less critical that others. The Cox blog also provides raw data including the amount of time needed to fix a flaw.