Actually, Mozilla focuses on days of risk over the practice of simply counting bugs. We consider two factors as part of the total window of exposure for users. The first is how long it takes for the vendor to ship the patch. The second is how long it takes for the user to get the patch installed....
Lets just hope they learned from Netscape's "hidden" security fixes.
Come clean when one is found and post a security patch, don't create a minor version. Believe it or not, most normal users DON'T come to SecurityFocus to get the latest buzz on problems.
[ more ] [ reply ]