[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] [Research] Correlation of Patch Delivery Delay and Access Complexity

On Sat, Sep 26, 2015 at 10:29 AM, Stefan GeiÃler
<info@xxxxxxxxxxxxxxxxxxx> wrote:
> Hello all,
> In context of my analysis of the delay between vulnerability disclosure (CVE
> release) and the release of a corresponding patch I am also analyzing the
> relation between the delay and various vulnerability characteristics.
> The attached figure shows the relation between Access Complexity as used by
> NVD and defined in CVSS. The Y-Axis shows the average delay for each
> category (Low, Medium, High). The numbers on top of the bars show the number
> of vulnerabilities in the respective category.
> I was hoping, that someone is able to help me explain the relation that can
> be seen in the figure. Why would a higher Access Complexity lead to longer
> patching delay? Or is the relation maybe just random and there is no actual
> connection between the two metrics?

First of all, since this question is presumably addressed to the Xen
developers, it would probably better be asked on xen-devel.

But to get you a better response there:

I don't really have a very clear idea what you're actually measuring
here.  What exactly is the "CVE release" date?  And what do you count
as "release of a corresponding patch"?

You also use a lot of acronyms (NVD, CVSS) without defining what they
mean or giving any references to them.

Finally, you ask about your graph, but you haven't given us any
information about the data that's fed into the graph.  Which XSAs are
you talking about?  Which ones fall into which category?  That would
be much more useful in helping people answer this kind of question.


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.