Secure Coding mailing list archives
Disclosure: vulnerability pimps? or super heroes?
From: coley at linus.mitre.org (Steven M. Christey)
Date: Tue, 6 Mar 2007 23:50:13 -0500 (EST)
Based on my general impressions in day-to-day operations for CVE (around 150 new vulns a week on average), maybe 40-60% of disclosures happen without any apparent attempt at vendor coordination, another 10-20% with a communication breakdown (including "they didn't answer in 2 days"), and the rest coordinated. A bit of a guess there, though. The only remotely relevant survey that I can think of was by me and Barbara Pease, 6 years ago in 2001, and we were reduced to qualitative analysis because data collection turned out to be too expensive, and this was focused on vendor acknowledgement (which holds steady at 50% no matter what the year). But disclosure timelines are thankfully more prevalent these days, so an updated study would be more illuminating. I'm looking forward to Richard Forno's study of vuln researchers whenever it comes out. For obligatory SC-L content: this is one reason why I think vendor development/maintenance processes need to be prepared for non-coordinated disclosures. - Steve
Current thread:
- Disclosure: vulnerability pimps? or super heroes? Gary McGraw (Feb 27)
- Disclosure: vulnerability pimps? or super heroes? J. M. Seitz (Feb 27)
- Disclosure: vulnerability pimps? or super heroes? Blue Boar (Feb 27)
- Disclosure: vulnerability pimps? or super heroes? Steven M. Christey (Mar 05)
- Disclosure: vulnerability pimps? or super heroes? Stuart Moore (Mar 05)
- Disclosure: vulnerability pimps? or super heroes? Michael Silk (Feb 27)
- <Possible follow-ups>
- Disclosure: vulnerability pimps? or super heroes? Gary McGraw (Mar 05)
- Disclosure: vulnerability pimps? or super heroes? Kenneth Van Wyk (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? Blue Boar (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? Steven M. Christey (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? Steven M. Christey (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? Kenneth Van Wyk (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? J. M. Seitz (Feb 27)