Can you name the company with the worst track record for patching critical vulnerabilities in recent times? IBM’s X-Force security research team reckons it knows the answer. According the X-Force 2010 Mid-Year Trend and Risk Report, there is no one worse than IBM itself when it comes to leaving critical vulnerabilities unattended for long durations. IBM took the top spot thanks to its failure to fix 29 percent of all critical bugs that were brought to its notice in the first half of 2010. Oracle (22%) and Microsoft (7%) occupy the next two spots on the list.

This, in fact, is a revised version of the report. As per the original, Google was the company with the highest percentage of unpatched flaws in H1 2010. However, Google was quick to dispute IBM's claim that it had left 33 percent of critical and high-risk bugs in its software unpatched: “We learned after investigating that the 33% figure referred to a single unpatched vulnerability out of a total of three — and importantly, the one item that was considered unpatched was only mistakenly considered a security vulnerability due to a terminology mix-up. As a result, the true unpatched rate for these high-risk bugs is 0 out of 2, or 0%.”

But this wasn't the lone mistake in the original, which also erroneously rated Oracle-owned Sun as the vendor with the highest percentage of unpatched vulnerabilities in the first half of 2010. But that honor now belongs to Microsoft.

“After we released our trend report this week, we received feedback from two software vendors regarding the severity and remedy information for some of the vulnerabilities behind this chart,” IBM said in a blog post.“As a consequence of this feedback, we have manually reassessed the CVSS scoring, remedy information, and vendor information for every vulnerability that impacted the percentages that appear in this chart.”