Top 10 Failures of Current Vulnerability Disclosure Practices

Not surprisingly, vendors view responsible disclosure as "tell us and no one else", while researchers interpret it as "fix this as soon as possible". While I'm not sure that we need a survey to reveal that, I did find it an interesting read. People often complain that the vulnerability disclosure process is broken and badly in need of repair. I disagree.

I think that it works just fine. Researchers and vendors will never agree on what constitutes responsible disclosure, that much is certain. We're wasting our time by trying to find the universal formula. At present, we have what I call the "invisible hand of responsible disclosure" regulating the process. Vendors are kept in check by a growing army of brilliant researchers with the ability to uncover vulnerabilities that the developers themselves were unable to discover.

For the most part, researchers are driven by their own curiosity and are a powerful force that cannot be ignored. On the other hand, researchers are kept in check by legal threats from vendors and flames from their peers for mishandling an issue. While I'm certainly not a proponent of a vendor taking legal action to suppress information sharing, the mere threat of such activity does cause researchers to think about the way that they choose to handle information. Nature always seeks equilibrium and in the security industry it is the ongoing researcher vs. vendor battle that keeps everyone honest (or at least on their toes).

However, nothing is ever perfect and while I state that the current system works, there are failures on all sides that constantly work to break the equilibrium.