Re: Vendor non-acknowledgement

["Steven M. Christey" <coley () mitre org>]

> Novell recently put out security release
> (http://support.novell.com/cgi-bin/search/searchtid.cgi?/10087316.htm)
> based upon my notifications to them.  Do most vendors acknowledge
> security professionals that bring vulnerabilities to them?

Based on informal analyses that I've done using internal CVE data,
approximately 50% of all reported vulnerabilities do not have any
associated vendor advisories/alerts *at all*, let alone credits to the
researcher.

In at least another 5% of vulnerability reports, the researcher says
that the problem was fixed by the vendor and provides a URL or other
reference, but you can't find a vendor statement that aligns with the
researcher's claims.

Approximately 1% of vulnerability reports may or may not be
acknowledged by the vendor, but the vendor's statements are so vague
that it is impossible to tell which vulnerability they are fixing.

At least one vendor (Microsoft) explicitly requires researchers to
participate fully with them, or else they do not get credited.  This
includes researchers who wait the "standard" 30 days before
publishing, if Microsoft does not have a patch ready when the
researchers publish.

I know this doesn't answer your question - I don't know how often
vendors will specifically credit researchers - but maybe these stats
will help understand some of the general problems in vendor
acknowledgement.

I think I agree with Florian Weimer that some vendors may not want to
credit individual researchers who don't provide their full names.

Note: I say "vendor" here to mean *any* distributor/developer/owner of
a software package, whether commercial or not.

- Steve

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html