Inside The Vulnerability Disclosure Ecosystem

Report released by NTIA stakeholders offers new information on how organizations respond to security vulnerabilities - and what researchers think.

Steve Zurier, Contributing Writer, Dark Reading

December 22, 2016

7 Slides

A new National Telecommunications and Information Administration (NTIA)-led study of how security researchers and software vendors handle and view vulnerability disclosure provides rare insight into both sides of the equation.

NTIA formed a team of stakeholders from the software industry, security researchers, and industry at large to study how the various players could build a higher level of trust when it comes to disclosing vulnerability information.

“Having more disclosure won’t solve all our security challenges,” says Allan Friedman, director of cybersecurity initiatives at the NTIA. “But it will build a more collaborative environment where organizations can respond to and have good relationships with [stakeholders] in the security field.”

One of the three working groups formed by the NTIA conducted two surveys, one of security researchers and another of software vendors. The researchers survey received 414 responses, and the software vendor study received 285.

On the plus side, 92% of security researchers surveyed say they participate in some form of security disclosure, but 60% say threat of legal action could potentially deter them from working with a vendor to disclose a vulnerability  

And while 76% of vendors say they look internally to develop vulnerability handling procedures, only one in three require third parties to develop their own vulnerability handling procedures.  

“Cleary there needs to be more work done in working with third parties,” says Friedman. “Especially when so many of the high-profile breaches involved third parties.”

NTIA published three papers from the study, and here are some key takeaways:  

About the Author

Steve Zurier

Contributing Writer, Dark Reading

Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights