Based on my general impressions in day-to-day operations for CVE (around 150 new vulns a week on average), maybe 40-60% of disclosures happen without any apparent attempt at vendor coordination, another 10-20% with a communication breakdown (including "they didn't answer in 2 days"), and the rest coordinated. A bit of a guess there, though.
The only remotely relevant survey that I can think of was by me and Barbara Pease, 6 years ago in 2001, and we were reduced to qualitative analysis because data collection turned out to be too expensive, and this was focused on vendor acknowledgement (which holds steady at 50% no matter what the year). But disclosure timelines are thankfully more prevalent these days, so an updated study would be more illuminating. I'm looking forward to Richard Forno's study of vuln researchers whenever it comes out. For obligatory SC-L content: this is one reason why I think vendor development/maintenance processes need to be prepared for non-coordinated disclosures. - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
