In anticipation of the Guardent/eWeek vulnerability summit in early November 2000, we conducted an informal experiment in which we tried to obtain the following information:
1) Whether the vendor publicly showed awareness of an announced vulnerability, and admitted that the problem was real ("vendor acknowledgement," also referred to as confirmation).
2) Whether the vendor provided contact information for security problems.
Although our results are not quantitative, we do consider them to be useful in understanding some of the problems in assessing which vulnerabilities can be patched.
This is an informal analysis. It is the sole product of the
individual authors, and does not represent an official position of The MITRE Corporation.
This analysis does not attempt to identify or address the various reasons for why vulnerability information may be incomplete or unavailable, as that topic has often been discussed in the past.
This analysis focuses on a test set of "worst case" vulnerabilities. It is not necessarily typical of all vulnerabilities or all vendors.
1) Without a standard location for security vulnerability information on vendor web sites, it is often extremely difficult to even find the appropriate page where vulnerability and patch information might be discussed.
2) Without a standard contact name for asking questions about vulnerabilities, it is difficult for a security analyst to find out which individuals or groups at a vendor web site have the information needed. This problem also makes it difficult for the vulnerability researcher to reach the right people.
3) The customer-focused nature of vendor web sites often makes it difficult for security analysts to access vulnerability information, even if the site has that information. Security analysts normally are not the vendor's customers.
4) Frequently, there is no apparent public acknowledgement of the vulnerability, or the web site is too difficult to navigate.
5) In some cases, the vendor may or may not have acknowledged the vulnerability, but the vendor's information is too vague to be certain.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.