On Secunia’s Vulnerability Review 2015

Today, Secunia have released their Vulnerability Review 2015, including various statistics on security issues fixed in the last year.

If you don’t know about Secunia’s services: They aggregate security issues from various sources into a single stream, or as they call it: they provide vulnerability intelligence.
In the past, this intelligence was available to anyone in a free newsletter or on their website. Recent changes however caused much of the useful information to go behind login and/or pay walls. This circumstance has also forced us at the Gentoo Security team to cease using their reports as references when initiating package updates due to security issues.

Coming back to their recently published document, there is one statistic that is of particular interest: Gentoo is listed as having the third largest number of vulnerabilities in a product in 2014.

from Secunia: Secunia Vulnerability Review 2015 (http://secunia.com/resources/reports/vr2015/)
from Secunia: Secunia Vulnerability Review 2015

Looking at the whole table, you’d expect at least one other Linux distribution with a similarly large pool of available packages, but you won’t find any.

So is Gentoo less secure than other distros? tl;dr: No.

As Secunia’s website does not let me see the actual “vulnerabilities” they have counted for Gentoo in 2014, there’s no way to actually find out how these numbers came into place. What I can see though are “Secunia advisories” which seem to be issued more or less for every GLSA we send. Comparing the number of posted Secunia advisories for Gentoo to those available for Debian 6 and 7 tells me something is rotten in the state of Denmark (scnr):
While there were 203 Secunia advisories posted for Gentoo in the last year, Debian 6 and 7 had 304, yet Debian would have to have fixed less than 105 vulnerabilities in (55+249=) 304 advisories to be at least rank 21 and thus not included in the table above. That doesn’t make much sense. Maybe issues in Gentoo’s packages are counted for the distribution as well—no idea.

That aside, 2014 was a good year in terms of security for Gentoo: The huge backlog of issues waiting for an advisory was heavily reduced as our awesome team managed to clean up old issues and make them known to glsa-check in three wrap-up advisories—and then we also issued 239 others, more than ever since 2007. Thanks to everyone involved!

5 thoughts on “On Secunia’s Vulnerability Review 2015”

  1. Gentoo apparently hasn’t been keeping up on the protection money. Wonder who paid to have Gentoo put on the list at all. After all, if they were including all distributions, every sub-flavor of Gentoo should have at least as many “vulnerabilities”.

    1. Careful with the conspiracy theories. 😉

      The reason why no derivatives are listed is that none (that I know of) do their own security response, everyone relies on us.

  2. Look at you writing on your blog!

    Secunia seriously smells like a pretty stinky company…I’m glad you were able to blog about this to raise awareness. Someone who does know much about Linux distributions might actually think it’s Linux is less secure than it really is!

    That link Hanno posted is really good, by the way.

  3. Tables that only mention how many issues have been found are useless at measuring security. What’s important, and missing, is how many of those issues have been fixed. All this table does is it shows how good we are at spotting security issues, something to be very much proud of :-)

Leave a Reply

Your email address will not be published. Required fields are marked *