I think it was Groucho Marx who quipped “Statistics are like a bikini. What they reveal is interesting, but what they conceal…that is vital!”
Techweb has posted a news story that Symantec is changing the way they calculate vulnerabilities per year per browser. They have adopted the rather obvious position that they will now count all the publically known vulnerabilities for a browser, not just the ones published after a delay by a vendor (who might also bunch separate vulnerabilities together into a single confirmation, etc.):
But the new counting methodology, which Friedrichs said was the “more accurate” of the two, combines all vulnerabilities, including those made public but not necessarily confirmed by the vendor.
In that count, IE comes out second-best: In the same six months, Firefox suffered from 17 total vulnerabilities, while IE had 24.
“The vendor- and non-vendor-confirmed numbers are the ones I’d recommend using,” said Friedrichs. “For one thing, it removes the delay that can effect numbers because of long patch times by commercial vendors.”
Symantec, said Friedrichs, won’t make claims that one of the two leading browsers is more secure than the other. “We just stick to the facts,” he said. “But the number of vulnerabilities are legitimate, so we can say that Firefox has fewer vulnerabilities.”