For every cyber-villain looking to exploit software and hardware vulnerabilities, there’s a cyber-hero fighting to expose (and close) those same security flaws. That reporting process is called responsible disclosure. But in today’s complex cyber landscape, the rules of responsible disclosure can vary dramatically. Begging the question, should the industry be standardizing this process?
Marc Laliberte, Security Threat Analyst at WatchGuard provides an insider’s perspective on the topic of “responsible disclosure” in a new Dark Reading article. He highlights the challenges both security researchers and vendors face when dealing with newfound vulnerabilities, while advocating the undeniable benefits of responsible disclosure.
“I’ve been on both ends of the responsible disclosure process, as a security researcher reporting issues to third-party vendors and as an employee receiving vulnerability reports for my employer’s own products. I can comfortably say responsible disclosure is mutually beneficial to all parties involved. Vendors get a chance to resolve security issues they may otherwise have been unaware of, and security researchers can increase public awareness of different attack methods and make a name for themselves by publishing their findings.
My one frustration as a security researcher is that the industry lacks a standard responsible disclosure timeline. We already have a widely accepted system for ranking the severity of vulnerabilities in the form of the Common Vulnerability Scoring System (CVSS). Perhaps it’s time to agree on responsible disclosure time periods based on CVSS scores?”
To read Marc’s entire article on Dark Reading, click here.