The Tie That Binds
To further illustrate the important tie between reporters and vendors, the study concludes
that the reporters are considered secondary stakeholders of the vendors in the
vulnerability reporting process. Reporters want to help solve the problem, but are
treated as outsiders by the vendors. The receiving vendors often found it to be a sign of
weakness if they involved a reporter in their resolution process. The concluding summary
was that both participants in the process rarely have standard communications
with one another. Ironically, when asked about improvement, both parties indicated
that they thought communication should be more intense. Go figure!
Team Approach
Another study, ???The Vulnerability Process: A Tiger Team Approach to Resolving Vulnerability
Cases,??? offers insight into the effective use of teams comprising the reporting and
receiving parties. To start, the reporters implement a tiger team, which breaks the functions
of the vulnerability reporter into two subdivisions: research and management. The
research team focuses on the technical aspects of the suspected flaw, while the management
team handles the correspondence with the vendor and ensures proper tracking.
The tiger team approach breaks down the vulnerability reporting process into the following
life cycle:
1.
Pages:
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192