I am still convinced that there is limited value in comparing vulnerabilities between different products. However, there are a few products which seem extremely emotional: The Operating System, Office, and the browser.
We already discussed pretty emotionally (I liked that actually) the Operating System part. Office came into the spotlight in the last few days as one source claimed a significant raise of vulns from 2006 to 2007, where I would like to understand the source of this data and the methodology as the bulletin remained at least flat. It is always easy to claim something and there are even journalists that take this up without any further investigation, which is bad enough…
Now, the browser. This is always a very emotional discussion as the browser is the window to the Internet and the world. Jeff Jones, a Microsoft employee, does regular analysis on the figures of vulnerabilities. As I stated in a previous blog post, I think it is important to internally understand the progress as well as the current state of the situation. He now published his next research on Firefox and IE. Read yourself: Internet Explorer and Firefox Vulnerability Analysis Report
These figures could be correct if both sides would disclose all hidden fixes. If they are not, one is actually fixing the figures instead of vulnerabilities, and thus count is so wrong.