Any study on patch availability?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Hi all,

Holiday season greetings.

I am a PhD student at Princeton studying security. I am
interested in studying vulnerability statistics.  I am interested in
answering questions like:

1. Which are the programs where bugs are found often?

2. Which vendors tend to be frequently affected?

3. What are the common vulnerabilities (buffer overflows I guess)?

4. How often are patches available before a vulnerability is publicly

5. How much time does it take for a typical vendor to patch the bug?
diligent are various vendors regarding releasing patches?

6. What are the OS specific statistics?

7. How diligent are users/administrators regarding patching? In some
there might be genuine reasons why you cannot patch (loss of
etc.). I am aware of "Security holes... Who cares?" by Eric Rescorla.

8. Have there been situations when a patch has not been available for a
long time, say more than a month.


I am primarily interested in seeing how fast the patches are out. I am
more interested in knowing about those situations when a patch is not
available fast. What did people do to avoid getting hit? I would
appreciate some concrete examples. So I am mostly interested in
4, 5, and 8.

Has someone already studied these patterns? Can the community refer me
some useful links?  I would appreciate concrete examples and a
quantitative analysis.  I have talked to a few system administrators.
But I am confused whether patch availability is indeed a problem.
Unfortunately, the answer is specific to what software you are running
the answer tends to be subjective.

Thanks in advance,

Site Timeline