Majority of security professionals favour shorter disclosure deadline

A majority 32% of security professionals polled believe 60 days is a reasonable time for allowing a software supplier to fix a vulnerability before full public disclosure, a survey has revealed.

However, 25% of 147 security professionals polled at the RSA Conference in San Francisco by security firm Tripwire said public disclosure does not need to wait for a security fix from a supplier.

Project Zero has angered suppliers such as Microsoft for going public with vulnerabilities discovered by its researchers before security updates had been issued by the software suppliers.

Project Zero imposed the 90-day deadline to ensure suppliers address vulnerabilities as a matter of urgency, but have come under fire from suppliers who claim that 90 days is often not enough time to create and test a fix.

The Tripwire survey also revealed that opinions were split on whether security researchers should be allowed to test security constraints of a company’s products and services without upfront approval from that company, with 50% of respondents saying they should not be allowed and 49% saying they should.

This has been a recent point of debate around new cyber security legislation in the US state of Georgia, which would affect responsible security researchers’ ability to do things in the public interest, not just malicious attacker activities.

Most survey respondents (84%) said that more legislation is needed to protect people and organisations from cyber attackers, but 35% said lawmakers need guidance and should work in partnership with information security experts.

More than a third of respondents (36%) said their own organisation had received an unsolicited vulnerability report in the past, while just over half (53%) said their organisations have an official channel where external security researchers can easily submit vulnerabilities found in their products or services.

However, nearly a quarter (24%) said their organisation has been the target of an extortion scheme related to the release of vulnerability details.

Tyler Reguly, manager of the vulnerability and exposure research team (Vert) at Tripwire said that it is a good idea for all organisations to be open to receiving research, but expressed surprise that 53% of respondents reported having an official channel to do so.

“This is better than some stats we’ve seen in the past. Last year a report came out saying 94% of companies on the Forbes Global 2000 have no discernible way to receive reports about vulnerabilities in their networks,” he said.

Vulnerability reports are submitted to help the company better protect themselves and their [attack] surfaces, said Reguly.

“The point of responsible disclosure is to build a safer internet. Those who have submitted vulnerabilities as part of an extortion theme are not representative of the responsible researchers,” he said.

According to Tripwire, the survey results show that responsible security research remains a complicated issue, and while some suppliers remain concerned about researchers looking into their product and services without their prior knowledge, the security firm said there is an important distinction between those who do this work for the betterment of society and those who do it for their own personal gain or other malicious intent.