Are Vulnerability Disclosure Deadlines Justified?

Are Vulnerability Disclosure Deadlines Justified?

Vulnerability research organizations Rapid7, Google Security team, and Zero Day Initiative recently imposed grace periods for public disclosure of vulnerabilities. The grace periods ranged from 45 to 182 days, after which disclosure might occur with or without an effective mitigation from the affect...

Full description

Saved in:
Bibliographic Details
Published in:2011 Third International Workshop on Security Measurements and Metrics pp. 96 - 101
Main Authors: McQueen, M., Wright, J. L., Wellman, L.
Format: Conference Proceeding
Language:English
Published: IEEE 01-09-2011
Subjects:
disclosure deadline
Fires
Google
grace period
Internet
lifespan
Organizations
patch development
Security
Software
software vulnerability
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Vulnerability research organizations Rapid7, Google Security team, and Zero Day Initiative recently imposed grace periods for public disclosure of vulnerabilities. The grace periods ranged from 45 to 182 days, after which disclosure might occur with or without an effective mitigation from the affected software vendor. At this time there is indirect evidence that the shorter grace periods of 45 and 60 days may not be practical. However, there is strong evidence that the recently announced Zero Day Initiative grace period of 182 days yields benefit in speeding up the patch creation process, and may be practical for many software products. Unfortunately, there is also evidence that the 182 day grace period results in more vulnerability announcements without an available patch.
ISBN:9781467312455
1467312452
ISSN:2326-7712
DOI:10.1109/Metrisec.2011.9