[ISN] Show us the bugs - users want full disclosure

From: InfoSec News (isnat_private)
Date: Tue Jul 09 2002 - 05:04:39 PDT

  • Next message: InfoSec News: "[ISN] RAID 2002"

    By John Leyden
    Posted: 08/07/2002 at 15:34 GMT
    End-users overwhelmingly support the full disclosure of security
    vulnerabilities, according to a recent survey by analysts Hurwitz
    Group, which demonstrates widespread frustration about vendor
    responsiveness to security issues.
    Based on interviews with more than 300 software security
    professionals, the report shows that end users overwhelmingly support
    full disclosure - announcing security vulnerabilities as soon as they
    are discovered. The end users surveyed for the report are clearly
    angry that vendors are releasing insecure applications, and then not
    responding when flaws are detected, Hurwtiz reports.
    "They see full disclosure in public forums and in the press as the
    only way to force vendors to respond to vulnerabilities caused by
    poorly written and insecure code. In fact, end users overwhelmingly
    support full disclosure even if it means exposing security flaws
    within their organisation that could have a negative impact on their
    company," it writes.
    The research also shows that most end users want the information
    published and many want it published immediately. A full 39 per cent
    of respondents said that vulnerabilities should be disclosed upon
    discovery, with another 28 per cent wanting disclosure within one
    The study undermines attempts by vendors, most notably Microsoft, to
    create a charter for the "responsible disclosure" of information of
    security vulnerabilities which would restrict the release of
    information about bugs. According to this line of thinking, disclosure
    should be delayed by up 30 days to give software vendors time to patch
    a system.
    To openly discuss exploits of software bugs is leading to "information
    anarchy" and undermining Internet security, according to Microsoft.  
    Three out of four security software professionals disagree, Hurwitz
    The study indicates a mounting frustration with users about security
    problems - and the general quality - of computer software. Users may
    soon seek to use the law to punish software vendors for these
    problems, Hurwitz suggests.
    In the past, end users have had limited legal options, since product
    liability laws currently protect software vendors, but this may soon
    end, Hurwitz believes.
    "Companies are so angry that they are now willing to take vendors to
    court," said Pete Lindstrom, Director of Security Strategies at
    Hurwitz Group. "I think we will soon see test cases in the courts to
    try to develop some requirements and standards for vendors. It will be
    interesting to see whether those cases will be successful, and whether
    standards will ultimately solve the problem for end users."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jul 09 2002 - 08:14:11 PDT