Industry still split on vulnerability disclosure

We've seen increasing moves by the software industry over the past few weeks to solve one of its oldest dilemmas: vulnerability disclosure.

Microsoft changed its policy on disclosure last month, and research firm TippingPoint told manufacturers recently that it is setting a six-month time limit between alerting them to a flaw and disclosing the information to its customers.

There are growing signs that the industry is getting serious about sorting out its patching protocols.

"It amazes me that a dozen years down the line we're still talking about this," Dan Holden, director of security research at TippingPoint, told V3.co.uk.

"Some of the arguments are pure semantics. We need to be mature about our responsibilities. The threat landscape has changed dramatically, and we're up against a much larger beast."

Holden explained that the tension between researchers and software manufacturers is largely economic. Vendors are not keen to have their problems exposed, but research firms have clients to protect and need to keep them informed.

Part of the problem is that in the past some of the biggest vendors took years to sort out problems, rather than the months that could reasonably be expected, and in some cases weren't even bothering to patch at all until the next major system upgrade.

"A kernel level one vulnerability takes a lot of time to sort out," Holden said. "But from a researcher's standpoint, everyone wants a patch as soon as possible."

The issue is increasingly being raised because of the larger pool of research firms. Many in the old-school hacking community, such as Dan Kaminsky and Moxie Marlinspike, have now set themselves up as security researchers in a sign that the industry is maturing.

"You need the research and the breaking, but it can't stop there," said Kaminsky at the launch of DNSSec during last month's Black Hat conference. "You have to work on a fix, get it out there, and then occasionally put on a suit."