Vulnerability disclosure - ISS X-Force owns TrendMicro

Nov.17, 2008 in Disclosure, Featured, Vulnerabilities

Vulnerability disclosure has been raging for as long as it has been. While some support what is known as Full Disclosure, a practice of going public with full details of security vulnerabilities, what appears to be an industry norm these days is called Responsible Disclosure where the details of the vulnerability is first disclosed to the vendor.

The whole idea is that the vendor is given time to fix the bugs - which will help the vendor’s image - whiles at the same time preventing customer panic and sudden heightened security risk.

Many believe that responsible disclosure is good for the industry as a whole but quickly note that the real reason why vendors quickly fix bugs under responsible disclosure practice is the threat of full disclosure.

Whiles this claim is hard to prove, it makes a lot of sense given that the cost to vendors of a public backlash (and the potential legal rumpus) resulting from NOT fixing the bugs quickly, far outweighs any cost incurred fixing those bugs. Additionally, its hard to point to any motivation for a vendor to fix a bug QUICKLY under a secret disclosure system.

After weeks of Google-bashing for being too slow in fixing reported vulnerabilities, Google received the thumbs-up for fixing a XSS bug only hours after it was reported.

Last week another drama unfolded where IBM’s ISS X-force team disclosed multiple vulnerabilities in TrendMicro’s ServerProtect products. There have been mixed reactions about whether ISS did the right thing by disclosing the vulnerability and subsequently blogging it. Some have criticized ISS for breaking an industry code and for going too far questioning whether ISS would go to the same extent if one of its products was at fault.

The criticism of ISS actions have so far been lame at best. ISS’s basic argument is that it gave TrendMicro enough time to fix the issues but TrendMicro proved uncooperative.

TrendMicro claims it has already fixed the bugs, a claim ISS disputes. A security advisories firm Secunia confirms that the vulnerabilities exist and have issued advisories for them.

Given that ISS followed its responsible disclosure guidelines and offered TrendMicro more than enough time to fix the bugs, I think ISS deserves recommendation, the same recommendation that will be extended TrendMicro should they find a vulnerability in ISS product and ISS fail to act.

Now that Secunia has confirmed the existence of the vulnerabilities, lets see how long it takes TrendMicro to fix them.

Share, its free!

Welcome

This blog is about Security Monitoring & Auditing, Identity and Access Management, Web Application Security & Pentesting, Cyber Crime, Digital Forensics and everything in between - Too many? Are you kidding?!

Tags
Auditing Authentication Beautiful Thinking Biometrics Book Reviews Buffer Overflow Checklists Compromise Corporate Espionage Cross Site Scripting Cryptography Cyber-Crime Data Loss Digital Forensics Disclosure DRM Exploit Forensics Funny Hacked Identity Intrusion IT Law Linux Malware Music P2P Pentesting Privacy Secure Design Security Breach Security Education Security Management Security Monitoring Security Tools Virtualization Vulnerabilities
Archives
- April 2009 (5)
- March 2009 (12)
- February 2009 (7)
- December 2008 (11)
- November 2008 (24)
Calendar
July 2009

M T W T F S S

« Apr

1 2 3 4 5

6 7 8 9 10 11 12

13 14 15 16 17 18 19

20 21 22 23 24 25 26

27 28 29 30 31
Blogroll

The Security Eunoia

Blogging about Security Auditing, IdM & Access Mgmt, Web App Security etc