Linux Vendors Question Forrester Security Report

Four Linux distributors, including Red Hat and SuSE, took issue this week with a recent report by Forrester Research that compared the security of Linux and Windows.

Last week, Forrester senior analyst Laura Koetzle released her year-long study of published security vulnerabilities and their fixes during the time span from June 1, 2002 to May 31, 2003.

Using metrics she and her colleagues devised, they measured the number of days customers of Windows and Linux were at risk from vulnerabilities, the percentage of security problems fixed, and how each operating system ranked in the severity of its uncovered flaws. Koetzle's report compared Windows with four distributions of Linux: those from Red Hat, SuSE, Debian, and Mandrakesoft.

It was those companies that criticized the Forrester report.

In a joint statement, the four said, “Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities as equal, regardless of their risk to users. As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed.”

Koetzle defended her survey on Friday, saying that she did rank the vulnerabilities by separating them into severe, medium, and low based on the same criteria applied by the U.S. government's National Institutes for Standards and Technology's (NIST) ICAT project.