LAS VEGAS: The increasing willingness of vendors to work with security researchers is making the process of reporting vulnerabilities easier, according to a panel of Black Hat presenters.
The researchers, all of whom were presenting their findings under the "Breaking things" track of the conference, said that many firms have grown more receptive to vulnerability reports and are more willing to work with researchers.
"Things have definitely gotten a lot faster, some comps even have deadlines to turn around a fix," said Chris Rholf, a consultant with Leaf Security Research.
"I think vendors have gotten a lot better, and bounties are proof of that."
James Forshaw, a consultant with Context Information Security, discovered a high-profile .NET vulnerability which Microsoft patched earlier this year. He said that the true range and scope of the flaw was only realised when Microsoft conducted its own investigation into the issue.
"I did not realise how much of an issue it was until it had gone through a few months in Microsoft's vetting process, it turned out to be considerably more troublesome than they thought," he said.
"To a degree it pleased me in some ways to find something that is that troublesome in a product."
Not all vendors are as accommodating and willing to work with researchers. Fermin Serna, an information security engineer with Google, who uncovered a vulnerability in Internet Explorer, said that firms such as Microsoft, Facebook and Google tend to be more accommodating of vulnerability reports.
"Whenever they find a vulnerability they are super responsive," he said.
"The smaller vendors are not as good as the big ones."
The best Black Friday tech bargains out there
Russell Group slammed for misusing student data in donation campaigns
Linus Torvalds is unhappy with current approaches to Linux security
Bug prevents ASLR from randomising location of important data