Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://fosstodon.org/users/kees/statuses/111951110795116140">Kees Cook :tux: (kees@fosstodon.org)'s status on Sunday, 18-Feb-2024 15:47:44 JST</a><a href="https://fosstodon.org/@kees" title="kees@fosstodon.org"><img src="https://gnusocial.jp/avatar/107149-48-20230725231521.webp" width="48" height="48" alt="Kees Cook :tux:" style="position: absolute; left: 0; top: 0;">Kees Cook :tux:</a></section><article><p>Last time I did a Linux kernel security flaw lifetime analysis was back in 2021. It showed the average time between flaw introduction and fix was 5.5 years for 108 "high priority" CVEs:<br><a href="https://outflux.net/slides/2021/lss/kspp.pdf" rel="nofollow noreferrer">https://outflux.net/slides/2021/lss/kspp.pdf</a></p><p>I refreshed my dataset today and was surprised to see that now with 103 more CVEs, it's still holding at 5.5 years. This actually means Linux is getting faster at finding issues, but the (diminishing) technical debt of the past is still dragging down the average.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2731120#notice-5417543">In conversation</a><time datetime="2024-02-18T15:47:44+09:00" title="Sunday, 18-Feb-2024 15:47:44 JST">about a year ago</time> <span>from <span><a href="https://fosstodon.org/@kees/111951110795116140" rel="external" title="Sent from fosstodon.org via ActivityPub">fosstodon.org</a></span></span><a href="https://fosstodon.org/@kees/111951110795116140">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/2273466">Graph of "critical" and "high" priority Linux kernel CVEs since 2010. Kernel release on the left side axis, older at the bottom. CVEs listed across the bottom axis. Each CVE has a bar running vertically ahove to indicate the duration of kernel releases the given flaw existed before it was fixed.The length of the bars is generally getting shorter, but many still reach all the way down into "before git history" times, showing the technical debt of the past.</a></label><br><a href="https://cdn.fosstodon.org/media_attachments/files/111/951/091/319/383/275/original/d540c9cd1f5580a4.png" rel="external">https://cdn.fosstodon.org/media_attachments/files/111/951/091/319/383/275/original/d540c9cd1f5580a4.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/2273467">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Kees Cook :tux: (kees@fosstodon.org)'s status on Sunday, 18-Feb-2024 15:47:44 JST Kees Cook :tux:
Last time I did a Linux kernel security flaw lifetime analysis was back in 2021. It showed the average time between flaw introduction and fix was 5.5 years for 108 "high priority" CVEs:
https://outflux.net/slides/2021/lss/kspp.pdf
I refreshed my dataset today and was surprised to see that now with 103 more CVEs, it's still holding at 5.5 years. This actually means Linux is getting faster at finding issues, but the (diminishing) technical debt of the past is still dragging down the average.
In conversationabout a year ago from fosstodon.orgpermalink
Attachments
1. Graph of "critical" and "high" priority Linux kernel CVEs since 2010. Kernel release on the left side axis, older at the bottom. CVEs listed across the bottom axis. Each CVE has a bar running vertically ahove to indicate the duration of kernel releases the given flaw existed before it was fixed. The length of the bars is generally getting shorter, but many still reach all the way down into "before git history" times, showing the technical debt of the past.
  https://cdn.fosstodon.org/media_attachments/files/111/951/091/319/383/275/original/d540c9cd1f5580a4.png
2. Untitled attachment

Public

Embed Notice

HTML Code

Corresponding Notice