When I started doing these scorecards, I did two variations - year-to-date and last-3-months - thinking that the latter would reflect short-term bursts of issues and that the former would give an overall view for the year that would incorporate the ups and downs.

Instead, the two versions of the charts seem to look very similar except for the numbers and scale. This kind of hints that whatever vulnerability disclosure and fix rate a product has, it is staying pretty consistent over time, at least in 2007.

The other thing I find a bit interesting is the Server charts that incorporate the reduced set of Linux packages. For those Linux server builds, I eliminated everything GUI, X11, Gnome, KDE-related, firefox and all optional client-type application components and just kept a minimalist server with the ability to server web pages or act in a few other common server roles. In contrast, the Windows Server build includes every shipping component including Internet Explorer, Media Player and similar stuff. I imagine that a lot of people would have expected a stripped-down Linux server to have, if not fewer total vulnerabilities, then fewer High severity vulnerabilities.

Finally, if I had one surprise in the charts, it was that I expected RHEL5 to be further distinguished from (ie, much lower than) RHEL4 in the YTD charts, given that it did not ship until March.