Apple, for example, keeps the work of its security team wrapped in secrecy and issues patches approximately every month. Microsoft has moved to a strict second-Tuesday-of-each-month patch-release schedule, unless a flaw arises that poses a critical threat to customers' systems. Database maker Oracle has settled on a quarterly schedule.
"We think it is in the best interest of our customers," said Kevin Kean, director of Microsoft's security response centre. "A large portion of the research community agrees with us and works with us in a responsible way."
But some security researchers believe the tradeoff is benefiting companies too much, as it allows them to tweak their patching processes at their convenience, and without the need to introduce fixes disturbing the progress of software development. That adds up to a lax attitude to security, some experts believe.
For example, eEye Digital Security abides by Microsoft's responsible disclosure guidelines, but posts the length of time since it reported a vulnerability to the software giant on a special page on its Web site. The top-rated flaw on the company's Web site was first reported to Microsoft almost six months ago.
The detente also makes manufacturers look good in terms of the lag between the public warning of a flaw and the release of a patch. For example, a year-old study by Forrester Research gave a nod to Microsoft for minimising the window of vulnerability, compared with most Linux distributions. It's a direct side-effect of the software giant's ability to convince security researchers to play ball, despite expectations.
"The general consensus in the developer community is that one would like to help the open-source projects rather than to torpedo them," said Laura Koetzle, vice president and research director of Forrester Research and the author of the report. "Whereas the temptation with a large faceless company is to disclose early and hurt them."
The dispute over disclosure goes to the heart of an old question: Is it responsible to give details of a threat, if the warning puts even more people in danger?
Those concerns drove a discussion on the mailing list for the kernel of Linux last week. A suggestion that a contact point be created to focus on security issues in the kernel, or core of the open-source operating system, immediately blossomed into a debate about whether that list should be private or public.
In addition, the debate centered on the question of whether the vendor-centric security list, Vendor-Sec, takes too much time to fix important flaws.
"It should be very clear that no entity ... can require silence or ask anything more than 'Let's find the right solution,'" Linus Torvalds, the original creator of Linux, said in the discussion. "Otherwise, it just becomes politics."
Continued ...
4%
4%
