I would be interested to learn where these studies are as well... I have been tasked with developing a white paper on a similar subject (overall timelines of discovery of vulnerability -> publication -> exploit -> patch) and the only sources that I have found so far are the thesis work of Danial Bilar (Phd candidate at Dartmouth), who has been disappointed in the lack of information that he has been able to find so far, as well as the following papers from other researchers: http://www.securityfocus.com/intelligence/whitepaper.pdf http://www.ee.oulu.fi/research/ouspg/protos/sota/FIRST1999-process/paper.pdf If anyone else has other sources of information regarding scientific studies of the vulnerability lifecycle, I would appreciate it. Thanks, John ___________________________________________________________________________ ****** _/ ****** | John Scrimsher ***** _/ ***** | ISE Intrusion Detection **** _/_/_/ _/_/_/ **** | Hewlett Packard Co. **** _/ _/ _/ _/ **** | Phone : 541 715 4671 **** _/ _/ _/_/_/ **** | Telnet: 715 4671 ***** _/ ***** | Fax : 541 715 6182 ****** _/ ****** | E-mail: john_scrimsher@private | Postal: 1000 NE Circle Blvd i n v e n t | Corvallis, Oregon 97330 ____________________________________________________________________________ > -----Original Message----- > From: Greg KH [mailto:greg@private] > Sent: Thursday, June 20, 2002 9:47 PM > To: Andrew Plato > Cc: C.R.I.M.E. > Subject: Re: CRIME Study: Open, closed source equally secure > > > And remember, there's a lot more to security theories than > mathemetical models. His model does nothing to talk about > the time it takes to _fix_ a problem once found. For that, > nothing beats open source programs, and that has been proven > (sorry, can't remember the actual citations, but I'm sure > Crispin has them somewhere...) > > greg k-h >
This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 09:04:03 PDT