Title :
Are Vulnerability Disclosure Deadlines Justified?
Author :
McQueen, Miles ; Wright, Jason L. ; Wellman, Lawrence
Author_Institution :
Cyber Security R&D, Idaho Nat. Lab., Idaho Falls, ID, USA
Abstract :
Vulnerability research organizations Rapid7, Google Security team, and Zero Day Initiative recently imposed grace periods for public disclosure of vulnerabilities. The grace periods ranged from 45 to 182 days, after which disclosure might occur with or without an effective mitigation from the affected software vendor. At this time there is indirect evidence that the shorter grace periods of 45 and 60 days may not be practical. However, there is strong evidence that the recently announced Zero Day Initiative grace period of 182 days yields benefit in speeding up the patch creation process, and may be practical for many software products. Unfortunately, there is also evidence that the 182 day grace period results in more vulnerability announcements without an available patch.
Keywords :
DP industry; organisational aspects; security of data; Google Security team; Rapid7; Zero Day Initiative; patch creation process; software products; software vendor; vulnerability disclosure deadlines; vulnerability research organizations; Fires; Google; Internet; Organizations; Security; Software; disclosure deadline; grace period; lifespan; patch development; security; software vulnerability;
Conference_Titel :
Security Measurements and Metrics (Metrisec), 2011 Third International Workshop on
Conference_Location :
Banff, AB
Print_ISBN :
978-1-4673-1245-5
DOI :
10.1109/Metrisec.2011.9
