Access and Feeds

Security: Inconsistent Policies for Vulnerability Disclosures Creates Confusion

By Dick Weisinger

Vulnerability disclosure is the reporting of security bugs and flaws in software and hardware products. Disclosure is usually made directly to the vendor or creator of the flawed product and the exact nature of the problem is typically not disclosed publicly until after the product has been fixed or patched.

Product users typically would like to know as soon as possible about problems, but vendors prefer to not publicly announce until they have studied the problem and prepared a patch. There is a give-and-take tension between these two groups.

A group at Claroty tracks reported vulnerabilities and creates biannual summary reports. Hundreds of vulnerabilities are reported each year related to products from tens of vendors, many of which are classified as having either critical or high risk vulnerabilities. But there is a huge variability in how the vulnerabilities were reported.

BugCrowd creates a guide for how to set up vulnerability disclosure programs. Many organizations establish policies for how they want vulnerabilities to be reported, but there is little consistency.

Ron Brash, director of cyber security insights for Verve Industrial Protection, told EE Times, said that “these programs [for reporting vulnerabilities] are all over the map: even U.S. federal agencies do their own thing. None of them are set up for maximum efficiency. It’s all best effort. The large vendors often take ownership, but their multiple business units might all do it differently. Since each product can combine multiple products, the number of vendors multiplies even more.”

Brash said that “Some open-source community projects are managing vulnerability disclosures fairly well. For instance, some parts of the Linux kernel are well managed; others not so much, and that’s not even considering the overall Linux ecosystem. And when compared to other free and open-source software projects, or even various proprietary products, they too have highly variable security practices.”

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Leave a Reply

Your email address will not be published. Required fields are marked *

*