You are very right, timeliness is the biggest sticking point without question. What's a reasonable timeframe? There's no good answer that can be generally applied. It changes from issue to issue.

Most vendors prefer to err on the side of limited disclosure -- that is, they prefer to wait until a patch is available, however long that may be. There is some support for that in the community, but I don't personally follow that model. To grant unlimited time to a vendor is to effectively act as though the vulnerability is only known to the vendor and the researcher. Time and experience have shown that to be an irresponsible attitude.

I think it's dangerous to allow unlimited time whilst maintaining secrecy. To do so opens you up to abuse, particularly when dealing with large, historically unresponsive organizations like Microsoft and Oracle. You have to be respectful of legitimate architectural issues like software complexity and compatibility testing. You want the vendor to issue a good update, but if they're taking eternity to do it, their processes need work and you should probably disclose, in the interest of preserving public security and maximizing transparency and accountability.

I tend to cap advance notification at 180 days, barring extraordinary circumstances. The discretion is on my end, however, not with the vendor. What's interesting is that I have cases sitting open with two of the vendors named in this article, both sitting open for 200+ days with no available resolution. It seems that the time was well wasted^H^H^H^H^H^Hspent.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/415/33898#33898