Is the vulnerability disclosure process glitched? How CISOs are being left in the dark
- by nlqip
Getting bug reports through can be challenging
Another significant barrier to adequate coordinated vulnerability disclosure is simply reaching the relevant vendor personnel, a difficult task compounded by the fact that communicating with bug reporters might be low on the vendors’ priorities list.
“Getting information back from the vendor about the bug’s status can be challenging,” Childs says. “The vendors are dealing with a huge number of bugs, more than they’ve ever dealt with in the past. What it boils down to is that the researcher is their lowest priority. They have other priorities that they’re working on, whether it be developing a fix or hopefully testing a fix before releasing it, that sort of thing. And the communication just gets dropped.”
Communicating with small vendors can be more of a challenge than dealing with large companies like Apple, Google, Microsoft, or Cisco. “Dealing with smaller providers and niche software things, it can be hard to find where to report the bugs,” Childs says. “We’ve even gone as far as to try to reach out to CISOs and CIOs on LinkedIn to try and report bugs. We’ve sent messages through support sites to try to report bugs. Sometimes, it gets reported to one person, but it’s not the right person.”
Source link
lol
Getting bug reports through can be challenging Another significant barrier to adequate coordinated vulnerability disclosure is simply reaching the relevant vendor personnel, a difficult task compounded by the fact that communicating with bug reporters might be low on the vendors’ priorities list. “Getting information back from the vendor about the bug’s status can be challenging,”…