How Fast Do Vendors Tackle Vulnerabilities?

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

This Ars Technica piece describes the way in which researchers release information on security vulnerabilities to the vendors who distribute the code and to the public.


Folks who back "responsible disclosure" advocate forwarding vulnerability information to vendors and giving them a chance to rectify problems before releasing the data to the public. The other side of the debate says this step essentially is a waste because vendors tend not to react -- especially to difficult bugs -- until the pressure is truly on. So a delay in releasing information to the public really is a delay in addressing a problem. During this time, of course, hackers and crackers and other malicious souls are angling to find the problems themselves.


There are two ways for an outsider to react to this. On one level, it's easy to say that there is truth on both sides and that compromise and better communications is the key to a more secure Internet. In the real world, however, it is likely that one side or the other is being more up front on this vital topic. The reality probably is that the bulk of vendors either do or don't sit on their hands.


This is far from an inside-baseball debate between techies. Businesses have a lot at stake -- it is their data that is at risk, after all -- and real leverage. They need to educate themselves on the issue and ask software vendors who come knocking where they stand. When the vendor invariably says that they react to flaws immediately, the prospective customers' IT departments need to make them prove it. Everyone shares the goal of a safer and more secure Internet. Clearly, however, there are myriad agendas within that overall sentiment that often are at cross purposes. It's up to the companies that write the checks to force the sides to form a reasonable framework.


If the reality is that some software vendors react quickly and some lag, it is even more important for end customers to get involved. They must use the power of the pocketbook to get the bulk of the industry onto the same -- and safest -- page.