This report explores the state of security risk for Red Hat Products for calendar year 2016. We look at key metrics, specific vulnerabilities and the most common ways users of Red Hat Products were affected by security issues.
Our methodology is to look at the vulnerabilities we addressed and their severity, then look at which issues were of meaningful risk, and which were exploited.
We found roughly as many vulnerabilities in 2016 as in 2015, although the number of issues we found out about in advance of the vulnerability being public did drop slightly. The median embargo length for those was reduced to just 7 days, down from 13 in 2015.