Security metrics are very difficult to do well, and easy to do poorly. Mozilla discloses and releases bulletins for all security issues fixed in Firefox, regardless of how they were discovered. This sort of reporting only encourages companies to hide as many security issues and fixes as possible. The report is disappointing that security researchers arent taking the research part of their jobs as seriously as they once did. Its disappointing that Secunia would publish something like this as one really expects better.”]
Source: https://blog.mozilla.org/security/2009/03/06/beware-the-security-metric/