Being "The Vendor" for Security Issues

Every six months IBM's x-Force security team releases a report about what software has had what vulnerabilities. Joomla! usually ranks pretty high, not because of vulnerabilities in the core, but because there are thousands of third party extensions (some not actively developed since Joomla! 1.0.1) that exist out in the world. Every six months I explain to the folks at IBM that the Joomla! Project isn't the vendor for third party extensions. They listen, but they don't change.

The new report is out, and as usual it's both interesting and frustrating. When reading it, keep in mind that IBM doesn't evaluate the reports for accuracy at all, they just count any reports that come from anywhere mildly authoritative (even a security account in Twitter has an entry). They use the same sources we all do to monitor security reports. They do a pretty good (but not perfect) job of merging duplicates. The big deal in the new report is that it claims that 80% of Joomla vulnerabilities are unpatched. How they decide that something is patched is not described in their report.