You might know Jeff Jones' work on the different vulnerability reports comparing different products and vendors. Our goal is to understand and measure our progress and see where we stand with regards to the industry.
Today, Jeff release his OS Desktop vulnerability report for H1 2008, which shows to me some interesting results.
One is if you look at the Days of Risk – say on average after disclosure how many days did it take a vendor to fix a vulnerability. He weighted them as well based on whether they are critical or important or low:
Secondly he shows the number of vulnerabilities of all the vendors he is looking at:
And last but definitely not least he compares the different OSs:
There is one other interesting finding: 25% of the vulnerabilities are shared by more than one vendor!
So, if you want to download the report, here you find Jeff's post: http://blogs.technet.com/security/archive/2008/10/28/download-h1-2008-desktop-vuln-report.aspx