The vendors do not feel that there is
ever a need to disclose highly sensitive information to potentially irresponsible users.
Knowledge Management
A case study at the University of Oulu in Finland titled ???Communication in the Software
Vulnerability Reporting Process??? analyzed how the two distinct groups (reporters and
receivers) interacted with one another and worked to find the root cause of the
breakdowns. The researchers determined that this process involved four main categories
of knowledge:
??? Know-what
??? Know-why
??? Know-how
??? Know-who
The know-how and know-who are the two most telling factors. Most reporters don??™t
know whom to call and don??™t understand the process that should be started when a vulnerability
is discovered. In addition, the case study divides the reporting process into
four different learning phases, known as interorganizational learning:
??? Socialization stage When the reporting group evaluates the flaw internally to
determine if it is truly a vulnerability
??? Externalization phase When the reporting group notifies the vendor of
the flaw
??? Combination phase When the vendor compares the reporter??™s claim with its
own internal knowledge about the product
??? Internalization phase When the receiving vendor accepts the notification and
passes it on to its developers for resolution
One problem that apparently exists in the reporting process is the disconnect and
sometimes even resentment between the reporting party and the receiving party.
Pages:
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190