Security experts are calling for a set of guiding principles to formalise the process of reporting security vulnerabilities, claiming that in the "real world" the whole process is liable to failure.
According to a report in the latest Internet Security Conference Newsletter, authored by Ivan Arce, founder and chairman of security group Core-SDI, there are numerous "bugs in the bug reporting process".
Discoverers of bugs in software and hardware often do not have the skill or time to research the problem, making it difficult to determine if the problem actually exists, or if it is specific to the discoverer, said Arce.
Nor does the discoverer have the resources to assist the process of identifying the problem, leading to vendors being late in addressing problems due to lack of interest or resources.
There is also a noticeable lack of communication between discoverer and vendor, either because the discoverer goes directly to the forum publishing stage, or because the vendor is not responsive. Several discoverers or several vendors addressing a problem often leads to lack of co-ordination and leakage of vulnerabilities before a fix is available, leaving users vulnerable, Arce warned.
He pointed to several security bugs problems discovered by himself and other security experts at the SafeNet security conference held at the end of last year. Although these bugs were discovered more than two months ago, solutions are still few and far between.
Arce said he believed that 'proxies', individuals or groups that take responsibility for publicising vulnerabilities on behalf of the discoverer, would be helpful in co-ordinating communication and could even go some way to researching the bug. But as Arce points out, "this effort is in its infancy" and needs some serious work.
Until then, Core-SDI has issued a set of guidelines, labelled as 'A feeble attempt at improving the process', until security experts can either agree on or set out formal guidelines for bug reporting.
Arce's full report and Core SDI's guidelines can be found here.
IBM and Technical University of Munich team demonstrate how Shor's algorithm, which can't be cracked by conventional computers, can be solved quickly with quantum computing
Hubble Space Telescope finds superflares from young red dwarfs could strip away planetary atmosphere
Younger stars are 100 to 1,000 times more energetic than when they're older
Two of the big four supermarkets will use the system to control sales of restricted products
PUBG news and updates: November's Update #23 to bring new Skorpion pistol and changes to blue zone visibility
Genuinely useful side-arm coming to PUBG in Update #23