When it comes to issuing patches time is precious, but, on the other hand, there are issues on just how quickly a company can get a patch out. Vulnerability research firm Secunia seems to think six months is long enough.
Starting this year, software vendors will have a six-month deadline to fix vulnerabilities reported through its Vulnerability Coordination Reward Program (SVCRP).
Secunia’s previous deadline, established in 2003, was one year. The decision to reduce it came after studying the history of the company’s vulnerability coordination efforts.
The new deadline is similar to what other security firms currently enforce. Hewlett-Packard subsidiary TippingPoint, which runs the Zero Day Initiative (ZDI) program, has had a six-month deadline for fixing vulnerabilities reported to vendors since the beginning of last year.
“It seems to be a deadline that most vendors should be able to live up to,” said Carsten Eiram, Secunia’s chief security specialist. “It is important to pick a deadline that provides vendors with ample time to develop proper fixes for most cases without providing too much time to ‘slack off.’ ”
Some software companies agree that a six-month deadline is reasonable. “Generally, six months is a reasonable amount of time for a vulnerability to be fixed,” said Brad Arkin, Adobe’s senior director of security for products and services.
However, there can be situations when a company needs more time to address a security problem, for example, when the fix requires architectural changes in the product. Secunia is willing to wait for an additional six months without disclosing the vulnerability publicly when it believes that such an extension has merit.
At the moment, every vulnerability researcher or security company has its own policy regarding vulnerability disclosure deadlines. In this context, finding common ground and establishing an industry standard could make sense. However, that’s unlikely to happen.
“Having a deadline to work toward makes sense in most instances; however, there are always exceptions in software development, making it difficult — if not impossible — to implement an industry standard that would work across all scenarios,” Arkin said.
“Each security issue is unique and therefore end-to-end update preparation time varies,” said Dave Forstrom, director of incident response for Microsoft’s Trustworthy Computing Group.