IBM X-Force report critical of independent security researchers

Although independent security researchers discover more vulnerabilities than their vendor counterparts, the most critical vulnerabilities are discovered by vendor research organizations, according to a report issued Tuesday by IBM.

The report, issued by IBM's Internet Security Systems division, summarizes security statistics over the first half of 2008. It highlights the ISS X-Force research and development team's observations over the first half of the year and points out any new trends that researchers are tracking.

The report was critical of independent security researchers, drawing attention to statistics that showed independent researchers are almost twice as likely to have exploit code published on the same day as their vulnerability disclosure than vendor-driven research organizations. Over the past year and a half, independent researchers discovered 70% of all vulnerabilities that were not anonymously disclosed, but vendor research organizations found 80% of critical vulnerabilities, meaning those with a Common Vulnerability Scoring System (CVSS) base score of 10.

"You have to ask yourself whether you're providing more responsive patching and protection techniques, or are you doing it for self driven egocentric reasons," said Kris Lamb, director of IBM's X-Force research team.