English

Security impact ratings considered harmful

Cryptography and Security 2009-04-28 v1

Abstract

In this paper, we question the common practice of assigning security impact ratings to OS updates. Specifically, we present evidence that ranking updates by their perceived security importance, in order to defer applying some updates, exposes systems to significant risk. We argue that OS vendors and security groups should not focus on security updates to the detriment of other updates, but should instead seek update technologies that make it feasible to distribute updates for all disclosed OS bugs in a timely manner.

Keywords

Cite

@article{arxiv.0904.4058,
  title  = {Security impact ratings considered harmful},
  author = {Jeff Arnold and Tim Abbott and Waseem Daher and Gregory Price and Nelson Elhage and Geoffrey Thomas and Anders Kaseorg},
  journal= {arXiv preprint arXiv:0904.4058},
  year   = {2009}
}

Comments

HotOS 2009

R2 v1 2026-06-21T12:55:11.533Z