Wow, what a noble service you're providing the world. How easy it is to filter the world to make it fit your pre-made conclusions about somebody else's product. In one breath, you "do not understand how one can realistically excludes issues that were disclosed before 2008 and fixed later", and yet you're perfectly comfortable limiting your research to Firefox 2 vulnerabilities. Typical MS - compare your beta product with their end-of-life version.

You can say what you want, but I know this: the only virus I've ever gotten on my PC has been from a zero-day Internet Explorer vulnerability that I had to format my machine to get rid of. Which is why I'm writing this in Firefox 3.

Thanks for the article, but it didn't really put forth any conclusive findings. It cited a lot of statistics and raised some good questions, but still leaves the issue in limbo.

When evaluating, I agree that any single metric distorts the findings. So here is a suggestion of rating:

1) Interaction Required. Can someone be affected by being on the internet? Surfing onto specific sites (drive-by downloads)? What level of user involvement is required? So they have to execute a trojan, or can the malware self-populate?

2) Severity. Does the malware install a keylogger? Steal usernames/passwords? Or does it just drag your resources down. How bad is the problem?

3) Days to fix. This is where patch time comes in.

I would take all of these and rate them first by a combination of 1) and 2) to evaluate potential for disruption - I suggest using an exponential scale. Then compare that to 3) to see how the vendor reacts. Small problems that grant local access to *.doc files only after user-approved code execution can afford to wait to be fixed. Exploits that can happen to anyone with the software installed and connected to the Internet and which grant full local admin access would obviously rank 100's of times higher on the importance scale.

Let's get away from subjective finger pointing and use a single, objective scale. Put the two vendors' past performance on this scale and evaluate.

To Beyond Pathetic

I'm not sure I get your point. Limiting to Firefix 2 just means that I was not exhaustive and didn't look for examples from other supported versions in the time period.

Compare end-of-life product with Beta? What Beta? FF2 was the product that was supported for the largest time period in 2008 - what product would you propose instead?

In the interest of balance is CIO going to run a series by a Mozilla developer doing an analysis of IE bugs and how they are addressed by Microsoft? In the interest of full disclosure, how much money does Microsoft spend in advertising in CIO and other related magazines?