Are Vulnerability Disclosure Deadlines Justified?

Author

McQueen, Miles ; Wright, Jason L. ; Wellman, Lawrence

Author_Institution

Cyber Security R&D, Idaho Nat. Lab., Idaho Falls, ID, USA

fYear

2011

fDate

21-21 Sept. 2011

Firstpage

96

Lastpage

101

Abstract

Vulnerability research organizations Rapid7, Google Security team, and Zero Day Initiative recently imposed grace periods for public disclosure of vulnerabilities. The grace periods ranged from 45 to 182 days, after which disclosure might occur with or without an effective mitigation from the affected software vendor. At this time there is indirect evidence that the shorter grace periods of 45 and 60 days may not be practical. However, there is strong evidence that the recently announced Zero Day Initiative grace period of 182 days yields benefit in speeding up the patch creation process, and may be practical for many software products. Unfortunately, there is also evidence that the 182 day grace period results in more vulnerability announcements without an available patch.

Keywords

DP industry; organisational aspects; security of data; Google Security team; Rapid7; Zero Day Initiative; patch creation process; software products; software vendor; vulnerability disclosure deadlines; vulnerability research organizations; Fires; Google; Internet; Organizations; Security; Software; disclosure deadline; grace period; lifespan; patch development; security; software vulnerability;

fLanguage

English

Publisher

ieee

Conference_Titel

Security Measurements and Metrics (Metrisec), 2011 Third International Workshop on

Conference_Location

Banff, AB

Print_ISBN

978-1-4673-1245-5

Type

conf

DOI

10.1109/Metrisec.2011.9

Filename

6165770