On Tue, Nov 18, 2003 at 04:33:53PM -0600, Quinby, Kris (MED) wrote: > I am looking to compare the span time from vulnerability to patch for a few > different HTTPD servers. The vulnerabilities data base at > http://www.securityfocus.com does not list a date associated with the > solution, only the announced date. I also know that the announced date does > not necessarily coincide with the discovered date but I will take any > information I can find at this point. Sadly, this information is not very widely available: http://www.nxnw.org/~steve/papers/lisa2002-time-to-patch.ps In fact, you pretty much have to hope that for every vulnerability reported to every httpd you are interested in, the reporter reports the information in a public report somewhere... If you don't know about CVE yet, you should get acquainted with it in a hurry: http://www.cve.mitre.org/ It won't solve all your problems, but it might help substantially. :) -- "Sniff you jerks later." -- Captain Murphy
This archive was generated by hypermail 2b30 : Tue Nov 18 2003 - 18:03:41 PST