Communication
issues seem to be a major hurdle for improving the process. From the case
study, it was learned that over 50 percent of the receiving parties who had received
potential vulnerability reports indicated that less than 20 percent were actually valid. In
these situations the vendors waste a lot of time and resources on issues that are bogus.
Publicity
The case study included a survey that circled the question of whether vulnerability information
should be disclosed to the public; it was broken down into four individual statements
that each group was asked to respond to:
1. All information should be public after a predetermined time.
2. All information should be public immediately.
3. Some part of the information should be made public immediately.
4. Some part of the information should be made public after a predetermined time.
As expected, the feedback from the questions validated the assumption that there is a
decided difference of opinion between the reporters and the vendors. The vendors overwhelmingly
feel that all information should be made public after a predetermined time,
PART I
Chapter 3: Proper and Ethical Disclosure
65
and feel much more strongly about all information being made immediately public
than the reporters do.
Pages:
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191