>>>>> "Anthony" == Anthony Towns <aj@azure.humbug.org.au> writes:
Anthony> Dividing by years gives: Anthony> CVEs Earliest Years CVEs/Year Anthony> 43 2004 3 14.3 wordpress 63 2002 5 12.6 phpbb2 37 2004 Anthony> 3 12.3 moodle 46 2002 5 9.2 bugzilla 45 2001 6 7.5 Anthony> phpmyadmin >> Viewed this way, wordpress definitely appears to have one of >> the /highest/ rates of security holes for webapps of its class. Anthony> 14 bugs per year versus 12 for moodle and phpbb2 doesn't Anthony> seem that big a difference to me. Anthony> I'm not sure that bug counts like this are really useful Anthony> though -- they don't measure the severity of the Anthony> problems, and could be indicative of popular code that's Anthony> being regularly fixed as much as low quality code that's Anthony> being regularly broken. While I'm not on the TC, I'd like to second the point here that looking at bug counts here isn't really the right picture. I work on MIt Kerberos for my day job. We get a lot of complaints that MIT Kerberos has a worse security track record than Heimdal because we've had more security advisories. However almost all these security advisories are from code inspection and auditing not from exploits. We could (but ethically will not) just ignore these issues or try and slip them into future releases to try and improve our security track record. However, without knowing whether similar auditing is going on against other products, or knowning how many people are looking, number of security incidents per time may not be a good description of how buggy code is. --Sam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]