NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0448 Researchers Want Companies to Disclose Vulnerabilities:
GNU Citizen - a group of blogging researchers who have published several big stories on
software vulnerabilities - wants companies to disclose cyber vulnerabilities rather than
try to cover them up. Petko Petkov, a member of the group, describes company attempts to
bury security vulnerability information as "black public relations (PR)." "Most of the
companies, they just don't fix them [software problems]," Petkov said. "They build a big
black PR group to counter stories." Part of the problem is the economics of fixing faulty
software. Creating and distributing patches is very expensive, and a few vendors would
rather fly below the radar than fix them, said Petkov.
GNU Citizen's "antiblack PR" unit looks at the broad implications of security problems -
such as a company's economic interests and what data may be compromised - and formulates a
big picture on the machinations of a company and what is at stake when, for example, banking
systems are compromised.
GNU Citizen advocates for "responsible" disclosure, which it says involves contacting
companies that have problems with their software and giving them enough notice to fix the
bug before it is publicly discussed. Nonetheless, they have been blamed by companies for
enabling attacks through vulnerability disclosures.
(www.networkworld.com 27MAR08)