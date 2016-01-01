It's interesting, because depending on why you're looking, you might want those combined and you might want those separated. If you are interested in an Android phone, you are interested in the vulnerabilities from Google's software that apply, as well as the vulnerabilities of the phone provider if them are extending Android. If you are buying a Nexus or Pixel device, you don't care about Samsung or HTC vulnerabilities. If you just want to know about problems in Google's suite of web applications, you don't necessarily care about Android at all.
Similarly, for Apple you might want to know the track record of their phones, or you might want to know about their OS's. For windows, you might want to know about base OS vulnerabilities, or phone vulnerabilities, or Office and other application vulnerabilities.
For large companies, attributing all vulnerabilities to the company may not be the most useful way to do this. Also, if you want to know how responsible a company is, it might be more useful to provide a vulnerabilities to employed software engineers per company ratio. If company X has 10 vulnerabilities and 10 programmers, and company Y has 100 vulnerabilities but 10,000 programmers, company Y may look worse on a pure vulnerability level, but conceivably they could be doing a really good job at writing secure software, but they are just putting out a lot more software.
Then you have Oracle at the top, but I expect that number is a combination of vulnerabilities in products produced by Oracle (like Java), and vulnerabilities reported in Oracle Linux.
I wish there was a better distinction between "distributor" (or "software packager") vs. "software creator".
