Secure communication channels between the reporter and the receiver should be
established throughout the life cycle. This sounds like a simple requirement, but as the
research team discovered, incompatibility issues often made this task more difficult
than it appeared. For example, if the sides agree to use encrypted e-mail exchange, they
must ensure that they are using similar protocols. If different protocols are in place, the
chances of the receiver simply dropping the task greatly increase.
Knowledge Barrier
There can be a huge difference in technical expertise between a vendor and the finder.
This makes communicating all the more difficult. Vendors can??™t always understand what
the finder is trying to explain, and finders can become easily confused when the vendor
asks for more clarification. The tiger team case study found that the collection of vulnerability
data can be very challenging due to this major difference. Using specialized teams
who have areas of expertise is strongly recommended. For example, the vendor could
appoint a customer advocate to interact directly with the finder. This party would be a
middleperson between engineers and the finder.
Patch Failures
The tiger team case also pointed out some common factors that contribute to patch failures
in the software vulnerability process, such as incompatible platforms, revisions,
regression testing, resource availability, and feature changes.
Pages:
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194