Statistics based on Secunia advisories released in 2003.
PLEASE NOTE: The statistics provided should NOT be used to compare the overall security of products against one another. It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products.
Secunia advisories often cover multiple vulnerabilities. Consequently, the number of advisories issued for a product does not always reflect the number of security issues that have been disclosed. For instance, in 2006 Secunia issued more than 5,000 advisories covering more than 9,000 vulnerabilities. This is counted AFTER removing duplicates generated by Linux distributions, issues in beta software, and what Secunia considers non-issues and fake issues that our competitors and other security vendors often write about.
It should also be noted that some operating systems (e.g. certain Linux distributions) bundle together a large number of software packages, and are therefore affected by vulnerabilities, which do not affect other operating systems (e.g. Microsoft Windows) that don't bundle together a similar amount of software packages.
Additionally, the number of unpatched vulnerabilities for a product may be affected by the fact that certain products (product bundles) consist mostly or solely of third party software (such as Linux distributions). Secunia tracks the number of issues fixed by the product vendor and not the issues reported in the third party software; this affects the statistics looking at unpatched issues A direct and fair comparison of unpatched issues for e.g. Microsoft Windows and Linux distributions is therefore NOT possible using the aggregated Secunia statistics. Such a comparison can only be made by tracking the upstream third party software included in Linux distributions and combining this with Linux distributions' own patches before comparing this with the aggregated statistics for Microsoft Windows operating systems.
Factors such as vendor response times and ability to properly fix vulnerabilities should also be considered when comparing products. Writing 100% secure code is virtually impossible, hence the vendor's responsiveness, willingness, and ability to provide quality patches to all its customers in a fast a reliable way is at least as important as the sheer number of vulnerabilities when considering the security of a product.
Please read the text associated with each graph to interpret the graph correctly.