Actually, Mozilla focuses on days of risk over the practice of simply counting bugs. We consider two factors as part of the total window of exposure for users. The first is how long it takes for the vendor to ship the patch. The second is how long it takes for the user to get the patch installed. By working to minimize both of these factors, we are able to reduce the total exposure for the user and keep them safer.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/newsbriefs/769/2532#2532