Full Disclosure mailing list archives
Re: Vendor non-acknowledgement
From: "Steven M. Christey" <coley () mitre org>
Date: Tue, 30 Sep 2003 16:03:28 -0400 (EDT)
Novell recently put out security release (http://support.novell.com/cgi-bin/search/searchtid.cgi?/10087316.htm) based upon my notifications to them. Do most vendors acknowledge security professionals that bring vulnerabilities to them?
Based on informal analyses that I've done using internal CVE data, approximately 50% of all reported vulnerabilities do not have any associated vendor advisories/alerts *at all*, let alone credits to the researcher. In at least another 5% of vulnerability reports, the researcher says that the problem was fixed by the vendor and provides a URL or other reference, but you can't find a vendor statement that aligns with the researcher's claims. Approximately 1% of vulnerability reports may or may not be acknowledged by the vendor, but the vendor's statements are so vague that it is impossible to tell which vulnerability they are fixing. At least one vendor (Microsoft) explicitly requires researchers to participate fully with them, or else they do not get credited. This includes researchers who wait the "standard" 30 days before publishing, if Microsoft does not have a patch ready when the researchers publish. I know this doesn't answer your question - I don't know how often vendors will specifically credit researchers - but maybe these stats will help understand some of the general problems in vendor acknowledgement. I think I agree with Florian Weimer that some vendors may not want to credit individual researchers who don't provide their full names. Note: I say "vendor" here to mean *any* distributor/developer/owner of a software package, whether commercial or not. - Steve _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Vendor non-acknowledgement Kent A (Sep 30)
- Re: Vendor non-acknowledgement Florian Weimer (Sep 30)
- Re: Vendor non-acknowledgement Giovanni Bobbio (Sep 30)
- Re: Vendor non-acknowledgement Nicob (Sep 30)
- <Possible follow-ups>
- Re: Vendor non-acknowledgement Steven M. Christey (Sep 30)
- Re: Vendor non-acknowledgement Florian Weimer (Sep 30)