Re: [CVEPRI] Proposal: An open letter on responsible disclosure

To: "Steven M. Christey" <coley@linus.mitre.org>
Subject: Re: [CVEPRI] Proposal: An open letter on responsible disclosure
From: aleph1@securityfocus.com
Date: Fri, 22 Sep 2000 14:35:33 -0700
Cc: cve-editorial-board-list@lists.mitre.org
Delivery-Date: Fri Sep 22 17:35:33 2000
In-Reply-To: <200009221934.PAA13414@teagarden.mitre.org>; from coley@LINUS.MITRE.ORG on Fri, Sep 22, 2000 at 03:34:27PM -0400
References: <200009221934.PAA13414@teagarden.mitre.org>

I thought I would add some reality back into this discussion. Here are
some quick and dirty statistics I gathered from our vulnerability database.
Someone might want to do a more accurate in-depth study.


I looked at the last 61 vulnerabilities in our database (I got bored
after that). For the 61:

* 21 were reported first by security vendors.
* Of those 21, in 19 cases the vendors worked or attempted to work
  with the vulnerable product vendor.
* Of those 21, in 2 cases the vendors did not seem to work with
  the vulnerable product vendor.
* 31 were reported by individuals.
* Of those 31, in 17 cases the individual appear to have contacted the 
  vendor before releasing the information.
* Of those 31, in 14 cases the individuals appear to not have contacted
  the vendor before releasing the information.
* 9 were reported first by the vendors for the vulnerable products.

That means in only 26% of the cases were vendors not informed ahead
of time of a vulnerability in their product.

Someone looking into this would like to further categorize the
users that attempted to contact vendors by whether the vendor
responded and how much time they gave the vendor.

Also of interest would be to classify the vulnerabilities
reported by risk to determine whether people are more responsible
which higher risk vulnerabilities.

It should be noted that of the people that did not inform the 
vendors in several cases they did not have enough information to
determine whether there was a vulnerability or not, or why it
worked and only further discussion led to a more in-depth understanding
of the problem.

Also several vulnerabilities were discovered while discussing other
vulnerabilities and thus a vendor could not be given prior notification.

So it seems there will always be vulnerabilities discovered for which
vendors can't be notified ahead of time as they are discovered in a public
forum.

Of course all this data is derived from our database and if we are missing
any information it may be skewed.

So while I can see things becoming better I don't see the sky falling as
other are claiming.

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

References:
- [CVEPRI] Proposal: An open letter on responsible disclosure
  - From: "Steven M. Christey" <coley@linus.mitre.org>

Prev by Date: [CVEPRI] Proposal: An open letter on responsible disclosure
Next by Date: Re: Final position RE: [CVEPRI] Handling new vulnerabilities disc overed by Steve Christey
Prev by thread: [CVEPRI] Proposal: An open letter on responsible disclosure
Next by thread: [TECH] Analysis of vendor acknowledgement according to CVE
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007

Common Vulnerabilities and Exposures

Re: [CVEPRI] Proposal: An open letter on responsible disclosure