Feeds

Show us the bugs – users want full disclosure

Test case needed

  • alert
  • submit to reddit

Protecting against web application threats using SSL

End-users overwhelmingly support the full disclosure of security vulnerabilities, according to a recent survey by analysts Hurwitz Group, which demonstrates widespread frustration about vendor responsiveness to security issues.

Based on interviews with more than 300 software security professionals, the report shows that end users overwhelmingly support full disclosure - announcing security vulnerabilities as soon as they are discovered. The end users surveyed for the report are clearly angry that vendors are releasing insecure applications, and then not responding when flaws are detected, Hurwtiz reports.

"They see full disclosure in public forums and in the press as the only way to force vendors to respond to vulnerabilities caused by poorly written and insecure code. In fact, end users overwhelmingly support full disclosure even if it means exposing security flaws within their organisation that could have a negative impact on their company," it writes.

The research also shows that most end users want the information published and many want it published immediately. A full 39 per cent of respondents said that vulnerabilities should be disclosed upon discovery, with another 28 per cent wanting disclosure within one week.

The study undermines attempts by vendors, most notably Microsoft, to create a charter for the "responsible disclosure" of information of security vulnerabilities which would restrict the release of information about bugs. According to this line of thinking, disclosure should be delayed by up 30 days to give software vendors time to patch a system.

To openly discuss exploits of software bugs is leading to "information anarchy" and undermining Internet security, according to Microsoft. Three out of four security software professionals disagree, Hurwitz finds.

The study indicates a mounting frustration with users about security problems - and the general quality - of computer software. Users may soon seek to use the law to punish software vendors for these problems, Hurwitz suggests.

In the past, end users have had limited legal options, since product liability laws currently protect software vendors, but this may soon end, Hurwitz believes.

"Companies are so angry that they are now willing to take vendors to court," said Pete Lindstrom, Director of Security Strategies at Hurwitz Group. "I think we will soon see test cases in the courts to try to develop some requirements and standards for vendors. It will be interesting to see whether those cases will be successful, and whether standards will ultimately solve the problem for end users." ®

Related Stories

Setback for security through obscurity scheme
MS 'Security Framework' is another .NET vulnerability

External Links

Who's Liable for Security Bugs? Stuck Between a Rock and a Hard Place with Full Disclosure, report by Hurwitz Group

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.