Flaw researchers desire progress reports from software makers

Ever come up with a really good suggestion to pass along to your boss, management, or even a company'”one that would improve its products and services?  Ever get stonewalled or otherwise have no idea if your suggestion was used and acted on?  This is how people paid to investigate potential holes in software feel.  This is what needs to be done:

'Software vendors need to establish protocols for interacting with researchers who share bug information, experts said. If they don't, they could risk losing the progress that has been made towards responsible disclosure of flaws."

 

While software companies (quite rightly) prefer researchers not disclose flaws to the general public ('responsible disclosure") until a fix is ready, researchers don't feel their work is appreciated as it should be by vendors.  While different companies are at different stages of working with those who find vulnerabilities, and if one of these people finding bugs doesn't get a response, one of them might disclose the flaw publicly after 30 days.

 

This may seem more of a 'ho-hum" article to some; however, it speaks volumes about the biggest 'vulnerabilities" of all:  the 'holes" in software vendor's efforts to secure their software, by way of their outright denial that something is wrong (past reaction of Cisco, current reaction of Oracle).  This goes to the heart of ego:  when someone creates something, the last thing that person is willing to accept is a critique of how it could be improved.  While this is understandable and perhaps forgivable in normal human interaction, it is not acceptable for any software company to release software to the public, find out something needs fixing to prevent end-user headaches and losses, then drag its feet or even deny the problem exists.  Another problem of the general 'fix it grudgingly approach" is that who loses if the software is bad or bug-ridden?  The end user does!  Has anyone heard of any software recall to date, where all users were offered a full refund of their purchase price, plus any damages they might have suffered from incomplete security design in the software?  Of course not!  This is why the so-called 'bug hunters" are essential consumer advocates, as they try to fix the trouble before it becomes a problem.  While it is 'responsible" to keep a flaw under wraps, I also understand when they publish a flaw, and in so doing, rightfully kick the vendor in the pants to fix it'”and fast! 

 

I personally hope these advocates for responsible software security measures at least begin getting the respect they request, and that more companies will follow suit in paying them for their work, as whether software vendors like it or not, these researchers cover the vendor's behind when the vendor misses something it should have caught with its own staff, and helps save the vendor's reputation.  

If anyone can elaborate more about current Oracle, Cisco or other companies' approaches toward these researchers'”beyond what is already mentioned in this article'”please react below and share what you know.  🙂

Source: C|net

No posts to display