, 2006-09-05
Federico Biancuzzi surveys statements from some of the world's largest software companies about vulnerability disclosure, interviews two security companies who pay for vulnerabilities, and then talks with three prominent, independent researchers about their thoughts on choosing a responsible disclosure process. In three parts.
Expand all |
Post comment
I see that, by and large, most everyone is in agreement except for that one touchy subject: timeliness of a resolution. That seems to be the sticking point and also the most subjective part of the whole process. For someone like Red Hat, I inferred they expect to resolve important issues within days, whereas smaller issues for other companies like Microsoft may take another Service Pack to fix (part of HD Moore's response). Who is to say how much patience, respect, and altruism a researcher has? Likewise, who is to say what a company's patching timeline should be?
It seems that a majority of the friction caused by what people call responsible or irresponsible disclosure is due to this changing line, and has been the cause of most of the issues in recent years.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/415/33897#33897