Today a "Role Comparison Report" from Security Innovation was published which has a headline that Red Hat fix security issues less than half as fast as Microsoft.
Red Hat was not given an opportunity to examine the "Role Comparison Report" or it's data in advance of publication and I believe there to be inaccuracies in the published "days of risk" metrics. These metrics are significantly different from our own findings based on data sets made publically available by our Security Response Team. I work with these stats on a daily basis and frequently publish reports based on them. I've put some sample reports, including ones for the distribution and timeline examined in the report on my Red Hat page along with the perl script we use to do the analysis so you can judge for yourself.
Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, the headline metrics treats all vulnerabilities as equal, regardless of their risk to users. The Red Hat Security Response Team publish complete data sets allowing calculations to be made taking into account the severity of each flaw. Red Hat prioritise all vulnerabilities and fix first those that matter the most.
For example out of the dataset examined by the report there were only 8 flaws in Red Hat Enterprise Linux 3 that would be classed as "critical" by either the Microsoft or Red Hat severity scales. Of those, three quarters were fixed within a day, and the average was 8 days. A critical vulnerability is one that could be exploited to allow remote compromise of a machine without interaction, for example by a worm.
But let's put these metrics into context - with the current threat landscape it is no longer sufficient for operating system vendors to just respond to security issues. We've had a firewall enabled by default in our products since 1999. We've digitally signed all software updates from Red Hat since 1996. As part of our overall security strategy Red Hat is continually innovating to create new technologies that proactively help reduce the risk of unpatched or as yet undiscovered vulnerabilities. That's why you see things like Exec-Shield ,which proved it's ability in Fedora Core to reduce the risk of some exploits, accelerated into the Enterprise product, and why you see us work on integrating technologies such as SELinux configured and enabled by default.