[attrition] Security Rant: US-CERT: A disgrace to vulnerability statistics

[security curmudgeon]

http://www.osvdb.org/blog/?p=79

US-CERT: A disgrace to vulnerability statistics
Posted in Vulnerability Statistics on January 2nd, 2006 by jericho

Several people have asked OSVDB about their thoughts on the recent US-CERT 
Cyber Security Bulletin 2005 Summary. Producing vulnerability statistics 
is trivial to do. All it takes is your favorite data set, a few queries, 
and off you go. Producing meaningful and useful vulnerability statistics 
is a real chore. Ive long been interested in vulnerability statistics, 
especially related to how they are used and the damage they cause. 
Creating and maintaining a useful statitistcs project has been on the 
OSVDB to-do list for some time, and I personally have not followed up with 
some folks that had the same interest (Ejovi et al). Until I see such 
statistics done right, I will of course continue to voice my opinion at 
other efforts.

[..]

Ok, on to the fun part.. the statistics! Unfortunately, the bulletin is 
very lacking on wording, explanation, details or additional disclaimers. 
We get two very brief paragraphs, and the list of vulnerabilities that 
link to their summary entries. Very unfortunate. No, let me do one better. 
US-CERT, you are a disgrace to vulnerability databases. I cant fathom why 
you even bothered to create this list, and why anyone in their right mind 
would actually use, reference or quote this trash. The only statistics 
provided by this bulletin:

[..]

A decade later, and the security community still lacks any meaningful 
statistics for vulnerabilities. Why cant these outfits with commercial or 
federal funding actually do a good job and produce solid data that helps 
instead of confuses and misleads?!