Recently, I was contacted by the author of an incredibly detailed analysis of open source CMS security. As part of this breakdown, the analysis goes into detail about which systems have had the most vulnerabilities and the severity of them, coming up with a number of rather intriguing conclusions.

Take a look at this graph for instance:

As you can see, certain systems perform better than others and what I found especially interesting is that contrary to what you might hear on the 'net, Joomla actually shows quite well from a security standpoint.

As part of the interpretation of this analysis, the author came to this conclusion:

  • WordPress only had a single serious vulnerability (in case I interpreted that correctly) -- impressive.
  • Drupal did also well, only the percentage is a little higher due to the low number of overall issues.
  • In contrast to the first two, TYPO3 appeared to not do well at all. It has by far most serious vulnerabilities both in absolute numbers and the percentage. However, I would attribute part of the difference compared to the other projects to TYPO3's stricter rating of vulnerabilities. One should probably add a CVSS comparison to Drupal to get a more balanced result.
  • Joomla, while having the most vulnerabilities overall, did very well with serious ones (meaning it had few of those).
  • SilverStripe seems to be floating somewhere between the other projects, neither being exceptionally good or bad.

You can read the report here: https://github.com/xeraa/cms-security/blob/master/README.md

I'd love to hear YOUR thoughts on this report, do you think the author is accurate or not? Do you have any suggestions for improving the gradings?