Again, you may not like it, but being the authority on security stuffs is one thing, being accurate enough to track whether the reported vulunerabilities has fixed is quite another.wastingtimewithforums said:"Apparently not if they can't keep track of when vulnerabilities are fixed."fknight said:*snip*
You may not like it, but Secunia IS the authority on security stuff on the web.
Even Microsoft acknowledges it.
Look how many pages on microsoft.com mention Secunia and their statistics:
Look at this:
"Secunia Vulnerability StudyPublished: 12/1/2006In a comparison of relative security, this study of third-party vulnerability data found Windows Server 2003 to have fewer vulnerabilities than Red Hat ES 3 and ES 4.
This paper compares the security of Red Hat Enterprise Linux ES 3, Red Hat Enterprise Linux ES 4, and Microsoft Windows Server 2003 Enterprise Edition. Different aspects of operating system security, such as the number of vulnerabilities and the time to resolve them, were analyzed as indicators of security for each operating system.Data collection and analysis for this study was performed in December 2006. Data was collected from Secunia (http://secunia.com), a leading independent source of vulnerability intelligence. For each vulnerability, data on start and patch dates was collected from all security bulletins and announcements under all CVE references associated by Secunia with that vulnerability.The study found that Windows Server 2003 is consistently lower risk than Red Hat ES 3 or Red Hat ES 4. Windows Server 2003 has fewer total vulnerabilities, which means users have fewer patching events to respond to, the first high-criticality vulnerability was not identified until over two years after release, and on average Windows Server 2003 has fewer unpatched vulnerabilities per day.
Another MS page:
Secunia Vulnerability Study Summary and Analysis
I. Core Analysis
Overview and Methodology
This paper compares the security of Red Hat Enterprise Linux ES 3, Red Hat Enterprise Linux ES 4, and Microsoft Windows Server 2003 Enterprise Edition. Different aspects of operating system security, such as number of vulnerabilities and the time to resolve them, were analyzed as indicators of security for each operating system. Data collection and analysis for this study was performed in December 2006.
Data was collected from Secunia (http://secunia.com/" target="_blank">http://secunia.com/), a leading independent source of vulnerability intelligence. Secunia was used because they do not rely on a single source for vulnerability information, and their source data is highly transparent. Secunia not only performs their own security research but also collects and verifies security bulletins and announcements from a large base of external sources: vendors, internet forums, newsletters, security analyst bug reports, CERT, and web sites maintained by unaffiliated individuals who are tracking security issues for each platform.1 For each operating system, Secunia tracks all vulnerabilities that affect a full installation of all components and packages included in the current release."
Another MS page:
".[...]Press Pass: From a security perspective, how is IIS7 different from what else is out there?
Laing: IIS6 was already rock-solid on security. You can look at the Secunia Web site where they list security bulletins and see that IIS6 hasn’t suffered a single critical security vulnerability. Even after that great success, we are still looking for ways to raise the Web server security bar.[...]"
So, Secunia and their statistics are mentioned all over Microsoft's own sites.
This might be intentional, I think. As if they keep the list up-to-date, their website will be used as a convenient source of information of exploitable vulunerabilities, which is not a good thing.
Therefore, comparing the numbers of unpatched vulunerabilities shown on their website does make little sense.