Two days ago we created a credibility index and earlier today someone suggested that we add Secunia to it.

Secunia seems to be spreading some Linux/Red Hat FUD at the moment. As Peter Judge shrewdly explains:

Red Hat's Mark Cox quickly pointed out in a blog that a) the number was wrong, b) it counted flaws in all the third party products associated with Red Hat's OS, and worst of all c) it counted several bugs six times, since it added up fixes made for the same bug, on multiple Red Hat products.

[...]

Even if there were a greater number of reported bugs on these open source products, that would not equal lower security. It could just mean that there is more publicity for known bugs in the open source world (as we saw recently, when code-checker Coverity announced it had found around 8000 bugs in open source projects, I commented here that this was actually good news for open source).

Obviously, whether or not Secunia deliberately got its sums wrong, it remains the case that "open source security flaws" is a much more arresting headline than "Microsoft security flaws" - for exactly the sam reason that "man bites dog" is more interesting than "dog bites man".

That is a lovely analogy. This is far from the first time security experts try to draw attention by standing out from the crowd. It's sometimes a publicity stunt. In another article at ZDNet, in Secunia's defense, the company refers to this as a case of comparing apples and oranges. If that's the case, then why these headlines and why these figures which basically beg for the deceiving headlines?

Peter Judge wrote some other good blog items in the past, so he'll be added to our credibility index as well. ⬆