Rasmus Lerdorf writes: > Forget your Google searches and go look at actual vulnerability reports > for the last 3 months.
Vulnerability reports are not a reasonable statistical sample. They aren't random. Also, people who report vulnerabilities are likely to stop reporting them if the maintainers of the software make it clear that the vulnerability won't get fixed. Why waste your time reporting an 'include' break-in? After all, it's not a vulnerability -- many people have told me that already. For example, I didn't report the two include vulnerabilities I found. Why should I? What problem would be solved by me reporting a security flaw that I ought to have known about before-hand? Google, on the other hand, tries to give you the most appropriate page when you search for something. -- --My blog is at blog.russnelson.com | If you want to find Crynwr sells support for free software | PGPok | injustice in economic 521 Pleasant Valley Rd. | +1 315-323-1241 | affairs, look for the Potsdam, NY 13676-3213 | | hand of a legislator. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php