[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [CVEPRI] Proposal: An open letter on responsible disclosure



I thought I would add some reality back into this discussion. Here are
some quick and dirty statistics I gathered from our vulnerability database.
Someone might want to do a more accurate in-depth study.


I looked at the last 61 vulnerabilities in our database (I got bored
after that). For the 61:

* 21 were reported first by security vendors.
* Of those 21, in 19 cases the vendors worked or attempted to work
  with the vulnerable product vendor.
* Of those 21, in 2 cases the vendors did not seem to work with
  the vulnerable product vendor.
* 31 were reported by individuals.
* Of those 31, in 17 cases the individual appear to have contacted the 
  vendor before releasing the information.
* Of those 31, in 14 cases the individuals appear to not have contacted
  the vendor before releasing the information.
* 9 were reported first by the vendors for the vulnerable products.

That means in only 26% of the cases were vendors not informed ahead
of time of a vulnerability in their product.

Someone looking into this would like to further categorize the
users that attempted to contact vendors by whether the vendor
responded and how much time they gave the vendor.

Also of interest would be to classify the vulnerabilities
reported by risk to determine whether people are more responsible
which higher risk vulnerabilities.

It should be noted that of the people that did not inform the 
vendors in several cases they did not have enough information to
determine whether there was a vulnerability or not, or why it
worked and only further discussion led to a more in-depth understanding
of the problem.

Also several vulnerabilities were discovered while discussing other
vulnerabilities and thus a vendor could not be given prior notification.

So it seems there will always be vulnerabilities discovered for which
vendors can't be notified ahead of time as they are discovered in a public
forum.

Of course all this data is derived from our database and if we are missing
any information it may be skewed.

So while I can see things becoming better I don't see the sky falling as
other are claiming.

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

Page Last Updated or Reviewed: May 22, 2007