Skip to Main Content
Despite their failings, collections of vulnerability bulletins and incident reports still provide the best source for data that could give security engineering a quantitative basis. For this reason, we used vulnerability bulletins to extract statistics about the security of common products; specifically the diverse security characteristics of operating systems in the Windows, Unix, and Linux families. In many cases, the data that was available, rather than security engineering requirements, dictated which statistics we derived. Nevertheless, our findings provide interesting insights into how the various products differ and suggest which security mechanisms would most effectively protect different system designs.