Figures lie and liars figure. It's all in the way the question was phrased:
"When should software vendors disclose software vulnerabilities to their customers?" This was the wording in the InfomationWeek article that Steve posted. 66% said "immediately". What would the results look like if you asked a loaded question that leaned in the other direction? "Should software vendors disclose information about software vulnerabilities to the global hacking community at the same time as all their customers who haven't yet implemented a working patch management process?" I imagine the results would be slightly different. Take this study with a grain of salt. ------------------ Daniel Ingevaldson Director, X-Force R&D/PSS [EMAIL PROTECTED] 404-236-3160 Internet Security Systems, Inc. Ahead of the Threat http://www.iss.net -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron DuFresne Sent: Thursday, July 08, 2004 12:04 PM To: Steven M. Christey Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Information Week: 2/3 of pros want immediate disclosure Which adds to the full disclosure debate a resounding, disclose asap. And shows that many in the industry feel this is needed to not only address issues in their envs as quickly as possible to mitigate problems until a fix/poatch is available, but, that most feel dicslosure puts the pressure on their vendors to respond to issues as they become discolsed. Thanks, Ron DuFresne On Wed, 7 Jul 2004, Steven M. Christey wrote: > > Information Week just posted an article titled "Disclosure: Security > Pros Want Flaw Information Sooner" in which they surveyed 7,000 > business technogology and security professionals. 66% argued for > immediate disclosure upon discovery, and another 32% wanted disclosure > once a patch was available, leaving only 2% who said that there was no > need to disclose vulnerabilities at all: > > > http://www.informationweek.com/story/showArticle.jhtml?articleID=22103 > 495 > > - Steve > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
