|Here is a response from one of our internal vulnerability tracking managers:|
For the list below, only a couple I see that do not seem prioritized as I'd expect: Red Hat, McAfee and Symantec. McAfee and Symantec actual products (not the Security Focus lists) are widely used enterprise and government products with a global presence. And additional emphasis because they are security products that immediately impact an organization's security state. Not talking about AV signatures or threat vulnerability reporting services, but actual vulnerabilities in their products can have severe impacts.
Red Hat is the other; a good bellwether for multiple products. Also widely used, and from our experience we often see new vulnerabilities, fixes and security advisories/updates from them prior to the other Linux vendors or the open source community (linux.org, kernel.org…). Those vulnerabilities also spin off to the many Red Hat derivatives also widely used like CentOS and MonteVista for embedded Linux versions. Not sure why they are considered a challenge to cover. Seems to me like they are solid in their security practices and open/public reporting.
Possibly one other is FreeBSD; it is still pretty widely used for hosting web services, particularly with smaller service providers. And it is another of those bellwether products like Red Hat, that if there is a vulnerability in FreeBSD, it will impact and carry over to all those products built on FreeBSD, i.e. if you cover them you don’t really need to cover all the derivatives but you have them covered. Would not cover the ports collection, just the base OS.
On May 10, 2012, at 2:50 PM, Mann, Dave wrote: