LAS VEGAS: The increasing willingness of vendors to work with security researchers is making the process of reporting vulnerabilities easier, according to a panel of Black Hat presenters.
The researchers, all of whom were presenting their findings under the "Breaking things" track of the conference, said that many firms have grown more receptive to vulnerability reports and are more willing to work with researchers.
"Things have definitely gotten a lot faster, some comps even have deadlines to turn around a fix," said Chris Rholf, a consultant with Leaf Security Research.
"I think vendors have gotten a lot better, and bounties are proof of that."
James Forshaw, a consultant with Context Information Security, discovered a high-profile .NET vulnerability which Microsoft patched earlier this year. He said that the true range and scope of the flaw was only realised when Microsoft conducted its own investigation into the issue.
"I did not realise how much of an issue it was until it had gone through a few months in Microsoft's vetting process, it turned out to be considerably more troublesome than they thought," he said.
"To a degree it pleased me in some ways to find something that is that troublesome in a product."
Not all vendors are as accommodating and willing to work with researchers. Fermin Serna, an information security engineer with Google, who uncovered a vulnerability in Internet Explorer, said that firms such as Microsoft, Facebook and Google tend to be more accommodating of vulnerability reports.
"Whenever they find a vulnerability they are super responsive," he said.
"The smaller vendors are not as good as the big ones."
BT wants to make the public switched telephone network history within eight years
Personal data being purloined by third parties via Facebook Login API
MacOS and iOS are better off apart, says CEO Tim Cook
Or they'll no longer be entitled to updates and bug patches