[VIM] interesting thought

[Steven M. Christey]

On Fri, 19 May 2006, Mark J Cox wrote:

> The only difficulty with such metrics for multi-vendor software is
> choosing what date to count.  Say for the Linux kernel is it the date a
> patch was posted to a mailing list, or the day it got approved (hence is
> now official),...

We have been slowly and informally tracking this internally in CVE.  We
have the "technically public" date - which includes a mailing list post
that's publicly archived, an obscure changelog entry, or bug report - then
we have the "widely public" date, which is roughly defined as "when the
announcement hits one of the usual vuln reporting channels or DBs."  This
is a new data point and only occasionally collected when I run into it.
The widely public vs. technically public dates can vary by months or,
occasionally, years.

Bug reports are still difficult, because the bug might have been marked
private, then made public sometime when the fix was made available.  So
you don't even know when it was technically public.

Then you also have the cases where on day X it was just a bug, but on day
Y it was discovered to be security-relevant.

Still, these cases seem to happen fairly rarely, at least currently.

> (For Red Hat we publish the date an issue was first public and the date we
> released an update for all issues)

Do you mean "widely public" or "technically public" or some other
definition?

- Steve