Security researchers expose bugs and their vendors

In the day and age where applications are constantly surveyed and found to have bugs, the communication behind reporting them has stirred much controversy. This is especially true in eyes of security researchers. Many firms have done a poor job listening to the individuals who notify them of bugs. This leads not only to frustration, but also leaves it up to the security researchers to decide if and when to release this information publicly.

If the vendors won’t acknowledge the researchers findings, how else will the researchers ensure that an action towards improvement will be taken towards the fix? Although security enthusiasts are often justified in their dissatisfaction at being in this position, Paco Hope, Principal Consultant at Cigital, gives his opinion on the larger difficulties releasing these details can cause for the companies involved and the bugs being fixed properly.

“If a software vendor is forced to fix a complex vulnerability on a really fast timeline, there is a good chance that they will make a mistake.”

“It is one thing, from the outside, to say “this is an easy fix”. It is quite another thing to put a company’s reputation on the line by pushing a slapdash patch that actually causes more harm than exploiting the vulnerability would.”

“We expect software to have bugs. What sets software firms apart is how they deal with them.”

To learn more about the challenges researchers and organizations face when it comes to bug reporting read Paco’s article on Tech Republic.