navigation bar left navigation bar right

Secunia CSI7
navigation left tab About us navigation right tab
navigation left tab Careers navigation right tab
navigation left tab Memberships navigation right tab
navigation left tab Newsroom navigation right tab
navigation left tab Contact us navigation right tab
Blog
News
Articles

Secunia Research Sets Half Year Coordination Deadline

Get this blog as an RSS Feed
Secunia Research has per 2012 changed the disclosure policy for vulnerabilities being coordinated - both internally discovered and coordinated on behalf of researchers via SVCRP.
16:29 CET on the 13th January 2012
Entry written by Carsten Eiram.

Secunia Research has per 2012 changed the disclosure policy for vulnerabilities being coordinated - both internally discovered and coordinated on behalf of researchers via SVCRP.

Since Secunia Research began coordinating vulnerabilities with vendors back in 2003, we've provided a deadline of one year (with a few exceptions made). Over the years, we have continuously discussed if this deadline should be shorter or longer. The goal of the deadline is to provide vendors with ample time to issue properly tested vulnerability fixes while at the same time not provide too much time, causing the disclosure process to become unnecessarily delayed due to inefficiency.

Looking at the vulnerabilities coordinated over the past years, the majority were fixed within 6 months. Many of the vulnerabilities coordinated for longer than 6 months could likely have been fixed within 6 months had the vendors been more efficient during the coordination process. Only in a few complex cases, did it make sense to provide vendors with more time to properly address a coordinated vulnerability.

Based on careful consideration and review of our Time-to-Patch periods for coordinated vulnerabilities, Secunia Research has revised our disclosure policy to change the one year deadline to a ½ year semi-hard deadline for the majority of coordinated vulnerabilities as that has, for most cases, been determined to be a very reasonable time frame for a vendor to issue fixes. For most vendors already capable of issuing patches within 6 months, this is business as usual. For a few vendors, this will, hopefully, contribute to speed up the patch process and ensure more efficiency, knowing that they don't have a full year to provide a fix.

In a few exceptional cases dealing with complex fixes, an extension of up to another ½ year may be provided to a maximum of the old one year hard deadline.

Any vulnerability where coordination began in 2011 will be subject to the old disclosure policy whereas any vulnerabilities, where coordination began in 2012 and going forward, is subject to the new disclosure policy.


Stay Secure,

Carsten Eiram
Chief Security Specialist

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Secunia Research Sets Half Year Coordination Deadline
 
No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+