Security experts are calling for a set of guiding principles to formalise the process of reporting security vulnerabilities, claiming that in the "real world" the whole process is liable to failure.
According to a report in the latest Internet Security Conference Newsletter, authored by Ivan Arce, founder and chairman of security group Core-SDI, there are numerous "bugs in the bug reporting process".
Discoverers of bugs in software and hardware often do not have the skill or time to research the problem, making it difficult to determine if the problem actually exists, or if it is specific to the discoverer, said Arce.
Nor does the discoverer have the resources to assist the process of identifying the problem, leading to vendors being late in addressing problems due to lack of interest or resources.
There is also a noticeable lack of communication between discoverer and vendor, either because the discoverer goes directly to the forum publishing stage, or because the vendor is not responsive. Several discoverers or several vendors addressing a problem often leads to lack of co-ordination and leakage of vulnerabilities before a fix is available, leaving users vulnerable, Arce warned.
He pointed to several security bugs problems discovered by himself and other security experts at the SafeNet security conference held at the end of last year. Although these bugs were discovered more than two months ago, solutions are still few and far between.
Arce said he believed that 'proxies', individuals or groups that take responsibility for publicising vulnerabilities on behalf of the discoverer, would be helpful in co-ordinating communication and could even go some way to researching the bug. But as Arce points out, "this effort is in its infancy" and needs some serious work.
Until then, Core-SDI has issued a set of guidelines, labelled as 'A feeble attempt at improving the process', until security experts can either agree on or set out formal guidelines for bug reporting.
Arce's full report and Core SDI's guidelines can be found here.
Equinox's Dave Millett explores how phone, mobile and broadband could be affected by a no-deal Brexit
Dust storm on Titan only the third Solar System body where such storms have been observed
New technique could enable quantum computers to scale-up to millions of qubits
Systrom and Krieger taking time off "to explore our curiosity and creativity"