Patch Time Graphs

After fiddling with Brian Kreb's work yesterday, (available at SecurityFix) I decided to take it a step further and draw some pretty graphs. Here the patches were sorted into chronological order based on the date of the original report. It is interesting to note that Microsoft patches vulnerabilities reported at the end of the year faster than they do those reported at the beginning. In the graphs, blue lines are full disclosure vulnerabilities and the orange are responsible disclosure vulnerabilities. The full disclosure graph also shows the large improvement in patch times in those cases. I used a 5-point rolling average for the trend curves. It is interesting to note the cyclical nature of the Patch Times on the summary graph. There aren't just random spikes and troughs there are usually other highs and lows building up to them. It would be nice to know what projects were on at Microsoft that may lead to the general increase in patch times over that period, alternatively it could be the nature of the vulnerabilities. Any ideas?

Also in the last three years, Microsoft has:

• Released 99 critical patches
• Taken an average of 120 days to release a patch
• Taken an average of 62 days to release patches for full disclosure vulnerabilities

The original spreadsheet is available in:

• Open Office
• Excel
• HTML

I changed the day calculations so that they will work in Excel, however Excel is unable to display the graphs correctly and just shows two sets of bars instead of bars and a trend line, so I recommend either the OpenOffice version or the HTML.

As an aside, what are the correct terms for the two types of disclosure. Responsible disclosure is a rather morally laden term, and calling the alternative irresponsible or non-responsible seems silly. I am using 'full disclosure' in this entry, but it seems wrong.

Posted by Dominic White