Bugcrowd Blog

Vuln Disclosure: Why Security Vendors & Researchers Don’t Trust Each Other - Dark Reading Summary + Video

Posted by Kymberlee Price on Mar 23, 2016 10:21:22 AM
 
The original article originally appeared on 3/22/2016 at 10:45 AM as a Commentary on Dark Reading. 
 
I’ve heard all the common complaints from both researchers and organizations regarding existing disclosure policies written over the last 15 years. There are valid arguments - “It doesn’t fit my business model” and “I don’t trust the other party” - which signal to me that for now, the security ecosystem is too complex for any single policy to be both supported and followed by the majority of vendors and researchers. It’s about more than just the disclosure policies. It’s about addressing the historical distrust and hostility between these two parties, and the damage that years of miscommunication and misunderstandings has created.

Instead of oversimplifying a highly complex and diverse ecosystem with ‘One Policy to Rule Them All,’ in an article on Dark Reading I’ve outlined five actionable recommendations vendors and researchers can take to begin building trust.  For additional context and examples, my 20 minute presentation at Kaspersky Security Analyst Summit 2016 is embedded below.

tl;dr - The security industry doesn't need a one-size-fits all vulnerability disclosure policy. It needs a culture change. Getting everyone to the table is the first step.

 
 
Read the full post here.
 
 
Guest Blog, Running Your Own Program
Kymberlee Price

Written by Kymberlee Price