Disclosure: vulnerability pimps? or super heroes?

[coley at linus.mitre.org (Steven M. Christey)]

Based on my general impressions in day-to-day operations for CVE (around
150 new vulns a week on average), maybe 40-60% of disclosures happen
without any apparent attempt at vendor coordination, another 10-20% with a
communication breakdown (including "they didn't answer in 2 days"), and
the rest coordinated.  A bit of a guess there, though.

The only remotely relevant survey that I can think of was by me and
Barbara Pease, 6 years ago in 2001, and we were reduced to qualitative
analysis because data collection turned out to be too expensive, and this
was focused on vendor acknowledgement (which holds steady at 50% no matter
what the year).  But disclosure timelines are thankfully more prevalent
these days, so an updated study would be more illuminating.  I'm looking
forward to Richard Forno's study of vuln researchers whenever it comes
out.

For obligatory SC-L content: this is one reason why I think vendor
development/maintenance processes need to be prepared for non-coordinated
disclosures.

- Steve