再保险(CVEPRI):建议:一封公开信上负责任的披露

我想添加一些现实回这个讨论。这里有一些快速和肮脏的我从我们的弱点数据库收集的统计数据。有人想做更准确的深入研究。我看着过去61漏洞在我们的数据库(之后我无聊)。61年:* 21被安全供应商首次报道。21日的* 19例供应商工作或试图与脆弱的产品供应商。21日的* 2例供应商似乎并没有与脆弱的产品供应商。* 31个人报告。* 31日在17例个体似乎已经联系了供应商之前发布的信息。31日的* 14例个人似乎没有联系了供应商之前发布的信息。 * 9 were reported first by the vendors for the vulnerable products. That means in only 26% of the cases were vendors not informed ahead of time of a vulnerability in their product. Someone looking into this would like to further categorize the users that attempted to contact vendors by whether the vendor responded and how much time they gave the vendor. Also of interest would be to classify the vulnerabilities reported by risk to determine whether people are more responsible which higher risk vulnerabilities. It should be noted that of the people that did not inform the vendors in several cases they did not have enough information to determine whether there was a vulnerability or not, or why it worked and only further discussion led to a more in-depth understanding of the problem. Also several vulnerabilities were discovered while discussing other vulnerabilities and thus a vendor could not be given prior notification. So it seems there will always be vulnerabilities discovered for which vendors can't be notified ahead of time as they are discovered in a public forum. Of course all this data is derived from our database and if we are missing any information it may be skewed. So while I can see things becoming better I don't see the sky falling as other are claiming. -- Elias Levy SecurityFocus.comhttp://www.securityfocus.com/如果那么,对位小独木船