IBM has overhauled its list of worst security patchers among software vendors, putting Microsoft at the top of its list and shifting Sun from No. 1 to No. 5.
Google, one of the companies that protested the methods used by IBM’s X-Force team to create the “Mid-Year Trend and Risk Report 2010,” dropped from No. 6 to No. 12.
In explaining the changes, an IBM blogger says it's difficult to track all the vulnerability disclosures and patches because the data has to be gathered by hand. "As you might imagine, this is a complicated task, as every software vendor handles security vulnerabilities differently and few standards exist today for sharing this information," Tom Cross says in his blog.
But in one of its blogs, Google says more effort should be made to verify the data used in the reports. "As a first step, database compilers should reach out to vendors they plan to cover in order to devise a sustainable solution for both parties that will allow for a more consistent flow of information," Adam Mein, a member of Google's security team, says in his blog.
"Another big improvement would be increased transparency on the part of the compilers — for example, the inclusion of more hard data, the methodology behind the data gathering, and caveat language acknowledging the limitations of the presented data."
Google complained to IBM because the report said Google had a 33% rate of leaving critical disclosed vulnerabilities unpatched. It turns out that the 33% referred to one patch out of three vulnerabilities, and that one was not security vulnerability after all.
IBM published two lists, one of companies with unpatched disclosed vulnerabilities and another of companies with unpatched critical vulnerabilities. Google dropped from No. 6 to No. 12 on the first and from No. 1 to No. 12 on the second.
Other software vendors whose ranking shifted markedly were Sun (from No. 1 to No. 5 and from No. 7 to a tie for No. 12) and Linux (from number seven to number 10 and from number four to a tie for No. 12).
The corrected ranking for the companies with the most unpatched disclosed vulnerabilities by company name and percent unpatched is: Microsoft, 23%; Mozilla, 17%; Apple, 12%; IBM, 9%; Sun, 8%; Oracle, 6%; Cisco, 6%; Novell, 5%; HP, 4%; Linux, 3%; Adobe, 3%; Google, 0%.
The corrected ranking for the companies with the most unpatched critical disclosed vulnerabilities by company name and percent unpatched is: IBM, 29%; Oracle 22%; Novell, 10%; Microsoft, 7%; HP, 5%; Mozilla, 4%; Adobe and Cisco each with 2%; and Apple, Google, Linux and Sun, each with 0%.