Google on Monday said that a recent report claiming it failed to patch a third of the serious bugs in its software had the facts wrong.
IBM's X-Force security company, which released the report last week, acknowledged the error and issued a revised chart that shows Google patched all the vulnerabilities rated "critical" or "high" in its online services.
[ The X-Force report found Sun, Microsoft, and Mozilla leave the most vulnerabilities unpatched. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
"We questioned a number of surprising findings concerning Google's vulnerability rate and response record, and after discussions with IBM, we discovered a number of errors that had important implications for the report's conclusions," said Adam Mein, a security program manager at Google, in an entry on a company blog.
Last week, X-Force's report claimed that 9 percent of all Google bugs disclosed in the first half of 2010 were unpatched, and 33 percent of the vulnerabilities ranked as critical or high had not been fixed.
According to IBM's revised tabulations, Google patched every vulnerability revealed in the first six months of this year.
"After we released our trend report ... we received feedback from two software vendors regarding the severity and remedy information for some of the vulnerabilities behind this chart," said Tom Cross, a researcher with X-Force, in a mea culpa blog posted on Saturday. "As a consequence of this feedback, we have manually reassessed the CVSS scoring, remedy information, and vendor information for every vulnerability that impacted the percentages that appear in this chart."
Cross' blog post included a revamped table that showed the new numbers.
Although Cross did not name the other vendor that complained about the patching results, Sun Microsystem's numbers also changed dramatically. Where the original table had Sun letting 24 percent of all first-half 2010 bugs and 9 percent of the most serious flaws go unfixed, the recalculated figures were 8 percent and 0 percent, respectively. The changes dropped Sun from the vendor with the largest percentage of unpatched vulnerabilities to the one in fifth place.
In April, Oracle announced plans to acquire Sun for $7.4 billion; X-Force listed the two companies' vulnerabilities separately.