Security experts are calling for a set of guiding principles to formalise the process of reporting security vulnerabilities, claiming that in the "real world" the whole process is liable to failure.
According to a report in the latest Internet Security Conference Newsletter, authored by Ivan Arce, founder and chairman of security group Core-SDI, there are numerous "bugs in the bug reporting process".
Discoverers of bugs in software and hardware often do not have the skill or time to research the problem, making it difficult to determine if the problem actually exists, or if it is specific to the discoverer, said Arce.
Nor does the discoverer have the resources to assist the process of identifying the problem, leading to vendors being late in addressing problems due to lack of interest or resources.
There is also a noticeable lack of communication between discoverer and vendor, either because the discoverer goes directly to the forum publishing stage, or because the vendor is not responsive. Several discoverers or several vendors addressing a problem often leads to lack of co-ordination and leakage of vulnerabilities before a fix is available, leaving users vulnerable, Arce warned.
He pointed to several security bugs problems discovered by himself and other security experts at the SafeNet security conference held at the end of last year. Although these bugs were discovered more than two months ago, solutions are still few and far between.
Arce said he believed that 'proxies', individuals or groups that take responsibility for publicising vulnerabilities on behalf of the discoverer, would be helpful in co-ordinating communication and could even go some way to researching the bug. But as Arce points out, "this effort is in its infancy" and needs some serious work.
Until then, Core-SDI has issued a set of guidelines, labelled as 'A feeble attempt at improving the process', until security experts can either agree on or set out formal guidelines for bug reporting.
Arce's full report and Core SDI's guidelines can be found here.
Microsoft comes up with a new way to foist its unloved and little used Edge web browser on people
Facebook suspends Cambridge Analytica following weekend claims that it illegally harvested information from 50 million users
Insider claims Cambridge Analytica used academic app to filch Facebook data of 50 million users
Is the Samsung Galaxy S9+ worth its high price?