Friday, May 31, 2002

Patch or No, Flaws to Go Public
Tired of software vendors' lack of responsiveness to security problems, David Litchfield, co-founder of Next Generation Security Software Ltd., in Surrey, England, said he now will simply wait one week from the time he notifies the vendor of the problem before announcing the flaw publicly in what he calls a Vendor Notification Alert.

He will not, however, release the details of the vulnerability—just the fact that it exists and any workaround information that is available.

Litchfield is well-known in the security community and has a long history of uncovering vulnerabilities, most often buffer overruns, in products from companies such as Microsoft Corp., Oracle Corp. and IBM's Lotus division.

Litchfield's new approach is likely to draw fire not only from vendors but from some members of the security community who believe that no mention of a new vulnerability should be made until a patch is available. The question of when to release vulnerability data and how much to say is an age-old one.

But to date, most researchers have erred on the side of caution, opting to accept a vendor's assurances that it is working on a patch and often waiting weeks or months to announce the new vulnerability.

However, Litchfield in his announcement said lately he has "noticed a 'lethargy' and an unwillingness to patch security problems as and when they are found."
http://www.eweek.com/article/0,3658,s=712&a=27406,00.asp

No comments:

Post a Comment

con·cept