The Zero Day Initiative, TippingPoint's bug bounty program, spends 30 percent of its effort helping Microsoft mitigate bugs in its Windows operating system and applications, according to data posted online on Thursday.

The data, part of a presentation given by ZDI's Pedram Amini last month, shows that about a quarter of the bugs accepted by ZDI since its launch in August of 2005 were vulnerabilities in Microsoft software. The group has only accepted about 30 percent of the 1,900 flaws submitted by researchers for all software.

"That's 33 Microsoft critical issues we are responsible for disclosing on average per year," Amini wrote on ZDI's blog. "As Microsoft accounts for most of our purchases it is no surprise that they account for most of our expenditures as well -- 30 percent."

Flaws in Apple software came a distant second to Microsoft, accounting for only 8 percent of the group's research expenditures, he stated.

The research also showed that the Mozilla Foundation led the industry with the fastest vendor response time overall. The developer of the Firefox browser averaged 48 days from notification to patch. Apple came in second, with an overall average of 91 days from notification to patch. Microsoft hovered at the center of the pack at 197 days, while Symantec, the owner of SecurityFocus, sported the worst performance -- 307 days on average.

Hewlett-Packard, Microsoft and IBM posted records for the longest time to fix a vulnerability. HP placed first and second with two vulnerabilities that continue to be outstanding at 1,071 days and 911 days. Microsoft held the third and fourth positions with two vulnerabilities, since patched, that had remained outstanding for 875 days and 866 days, respectively. IBM's worst response time is an issue that remains outstanding after 847 days.

"The presented data was our first unveiling of a vendor 'report card,'" stated Amini. "Within the next month or so, we intend on creating a permanent home on the ZDI website with all these statistics and more."

If you have tips or insights on this topic, please contact SecurityFocus.