ProductsServer Desktop & Workstation Developer Subscriptions Satellite OpenStack Platform For IBM POWER For SAP Business Applications Management For Scientific ComputingExtended Update Support High Availability High Performance Network Load Balancer Resilient Storage Scalable File System Smart Management Extended Lifecycle SupportA-MQ Accelerate Automate Integrate Application Platform BPM Suite BRMS JBoss community or Red Hat JBoss Middleware Data Grid Data Virtualization Developer Studio Portfolio Edition Fuse Fuse Service Works Operations Network Portal Web Framework Kit Web Server
SolutionsWhy Red Hat Why open hybrid cloud? The new IT Public cloud Cloud resource library Private cloud Infrastructure-as-a-Service (IaaS) Platform-as-a-Service (PaaS) Cloud applications and workloadsSolaris to Red Hat Enterprise Linux Migration overview Migrate from your UNIX platform How to migrate to Red Hat Enterprise Linux Upgrade to the latest Red Hat Enterprise Linux release Red Hat JBoss Middleware Benefits of migrating to Red Hat Enterprise Linux Migration services Start a conversation with Red Hat
TrainingPopular and new courses Red Hat JBoss Administration curriculum Core System Administration curriculum Red Hat JBoss Middleware development curriculum Advanced System Administration curriculum Linux Development curriculum Cloud Computing, Virtualization, and Storage curriculum
ConsultingSOA and integration Business process management Custom Software Development Enterprise Data and Storage Systems management Migrations
Reports of Risk
March 26, 2007
by Security Team
Another security report was released this week that claims to show the “patch development time” for various distributions. Symantec gives some high level results, but none of the detail required to figure out how exactly it got to its results.
Our Red Hat Security Response team is committed to transparency. With every security advisory we release, we provide details on not only the security issue itself, but also on how we first found out about it, when we first found out about it, when it was made public and when we fixed it.
Because the software in Red Hat Enterprise Linux 4 is open source, we’re likely not to be the only company shipping each particular application. So unlike software that comes from a single vendor, we are rarely in control of the dates issues are made public. This is actually a good thing because it leads to much shorter response times between when issues are first reported to when they are made public. It also means our company can’t try to artificially reduce our “days of risk” statistics by using tactics such as holding off disclosure of important issues for a long period until a regularly scheduled patch day.
In any event, our track record in fixing critical issues–those that matter the most to customers–is outstanding. Using our publicly available data, you can see that a default installation of Red Hat Enterprise Linux 4 AS in the first two years since release was only vulnerable to three critical severity issues. Fixes for every one was available from Red Hat Network within two calendar days of public disclosure of the vulnerability.
Visit our Security Measurement page here.