Vulnerability Disclosure Poll Results and Conclusions
I must admit to being pleasantly surprised by the poll results. My expectation was a 50 / 50 split between vendor only and vendor + US-CERT responses. We will leave the poll open, but at this time 87% of respondents chose disclosure to the vendor + US-CERT. Based on this sample the preferred response for consultants, researchers, asset owners and vendors is clear - - disclose vulnerabilities to the vendor and US-CERT.
This differs substantially from the impression at the 2006 PCSF annual meeting in San Diego where the vocal majority was very much against disclosing to US-CERT. That meeting was heavily attended and led by vendors, and I always wondered if the asset owners just didn’t want to get into the high-spirited discussions between Matt and some of the vendors. Perhaps asset owners don’t believe all faith and discretion should be left to the vendor regarding a vulnerability.
Another possibility is the community has more faith in US-CERT after seeing them in action with the first few disclosures.
Admittedly this sample size is small and represents a cross-section of the regular blog readers. These are likely people very active in control system security and perhaps people that react favorably to our approach towards disclosure and sharing tools and technical details with the control system community.
Author: Dale Peterson
Posted: July 19th, 2007 under Vulnerability Disclosure.
Comments: 2
Comments
Comment from Ron Southworth
Time: July 19, 2007, 6:22 pm
Given the obvious US Cert/ DHS “tie in” This to me would account for the response being more favorable for that option than you expected.
I don’t know that there is a lack of trust with vendors maybe it is that there is an increase in trust in the Government and the partnering efforts between everyone in the community are starting to be reflected?
Unfortunately it is a small sample Dale. The last security survey I saw had a similar problem with sample volume. It really is a small industry!
Comment from Matt Franz
Time: July 19, 2007, 9:56 pm
While I was surprised by the survey results as well. Perhaps another factor is that (contrary to some of the apocalyptic predictions expressed in San Diego last year) highly sanitized vulnerability reports do really not arm attackers or result in additional risk to assets.
Like everything else, of course this perspective isn’t unique to control systems. I saw the same mentality at Cisco in the run-up to supposedly scary IOS vulnerabilities. Batter down the hatches. The world will end on V-day. Hackers would go on the offense knowing there was some new single packet killer that could be exploited and “bring down the Internet.”
I think the more telling data on disclosure attitudes will be the advisories that result at the tail end of the process, in terms of who the reporter is:
- Will end users/asset owners submit vulnerabilities to coordination centers — assuming they are not forbidden by NDAs?
- Will SCADA vendors notify coordination centers the way IT vendors do?
- Will we see advisories (that do not go through a CC) from security vendors?
- Will we see advisories resulting discovered taxpayer-subsidized research or vendor assessments?
Write a comment