14 DAY TRIAL // Adobe has settled a dispute with a security researcher concerning the number of vulnerabilities patched in the latest version of Flash Player.
Following the release of Flash Player 10.3.183.5 last week, Google security engineer Tavis Ormandy disputed Adobe's vulnerability count.
Ormady claimed that he alone submitted 400 separate vulnerabilities to Adobe which were fixed in the latest release without being mentioned.
The company only wrote that "Adobe would also like to thank Tavis Ormandy and the Google Chrome team for their great work on several improvements to this Flash Player release."
Brad Arkin, Adobe's senior director of product security and privacy, explained the confusion in a blog post.
He points out that every company can have its own internal policies regarding CVE allocation; some might assign them only for externally reported vulnerabilities, others might combine related vulnerabilities under the same CVE, and so on.
He notes that as far as Adobe is concerned, the company doesn't assign CVEs for vulnerabilities discovered as part of its Secure Product Lifecycle (SPLC), because these are not publicly known.
"We didn’t allocate any CVEs because we viewed this testing as part of the SPLC that spans the joint engineering efforts with the Google Chrome team. This led to some confusion since the Google security team has a different approach to CVE allocation," Arkin writes in regard to the Flash Player advisory dispute.
He also points out that after triage and further analysis the 400 crashes submitted by Ormandy required only 80 code changes, many of which were closely related.
"At this point, we’d rather invest our time in continuing the hardening work that will make Flash Player more robust against attack than reviewing change logs. We’ve updated the security bulletin to include CVE-2011-2424 to describe this batch of bugs," he says.
This whole incident outlines why it's never a good idea to compare the security of similar products by counting publicly reported vulnerabilities. Some vendors might not reveal vulnerabilities found internally, while others, particularly the open source projects, might report all of them.