government to adopt coordinated vulnerability disclosure
policies, so that if a vulnerability is uncovered, that information is disseminated.
"All companies should consider promulgating a vulnerability disclosure
policy," he said.
Although participants in the vulnerability disclosure
program typically won't receive any financial reward for their efforts, success can still be a career booster, Rice said.
* Adopting a coordinated vulnerability disclosure
policy and practice; and
400 days is an extremely long grace period--recently some vulnerability disclosure
periods have been as short as 1 or 2 weeks.
Increased scrutiny and additional researchers also increase the vulnerability disclosure
rate and result in reducing the total cost of ownership.
"Established industry practice concerning vulnerability handling avoids the risks created by the [PCI Council's] vulnerability disclosure
requirements," Davidson said.
Called "Coordinated Vulnerability Disclosure
" (CVD), the new model is similar to Microsoft's responsible disclosure policy.
EoACAo Security updates from a dedicated team of security experts, which help to ensure the latest protection by continuously monitoring multiple sources of vulnerability disclosure
information to identify and correlate new relevant threats and vulnerabilities.
However, according to the X-Force report, vulnerabilities disclosed by independent researchers are twice as likely to have zero-day exploit code published, calling into question how researchers practice vulnerability disclosure
and signifying the need for a new standard in the industry.
Sourcefire Inc (Nasdaq: FIRE), a provider of intrusion prevention, has announced that the Sourcefire Vulnerability Research Team (VRT) delivered rules that protected Sourcefire customers and Snort users for almost a month prior to the recent Microsoft vulnerability disclosure
(Microsoft Security Bulletin MS07-061).
[E]ach stakeholder involved in vulnerability disclosure
may adopt a differing view regarding the scope and type of role they are willing take [sic].