By Carsten Eiram
Secunia Research has per 2012 changed the disclosure policy for vulnerabilities being coordinated – both internally discovered and coordinated on behalf of researchers via SVCRP.
Since Secunia Research began coordinating vulnerabilities with vendors back in 2003, we've provided a deadline of one year (with a few exceptions made). Over the years, we have continuously discussed if this deadline should be shorter or longer. The goal of the deadline is to provide vendors with ample time to issue properly tested vulnerability fixes while at the same time not provide too much time, causing the disclosure process to become unnecessarily delayed due to inefficiency.
Looking at the vulnerabilities coordinated over the past years, the majority were fixed within 6 months. Many of the vulnerabilities coordinated for longer than 6 months could likely have been fixed within 6 months had the vendors been more efficient during the coordination process. Only in a few complex cases, did it make sense to provide vendors with more time to properly address a coordinated vulnerability.
Based on careful consideration and review of our Time-to-Patch periods for coordinated vulnerabilities, Secunia Research has revised our disclosure policy to change the one year deadline to a year semi-hard deadline for the majority of coordinated vulnerabilities as that has, for most cases, been determined to be a very reasonable time frame for a vendor to issue fixes. For most vendors already capable of issuing patches within 6 months, this is business as usual. For a few vendors, this will, hopefully, contribute to speed up the patch process and ensure more efficiency, knowing that they don't have a full year to provide a fix.
In a few exceptional cases dealing with complex fixes, an extension of up to another year may be provided to a maximum of the old one year hard deadline.
Any vulnerability where coordination began in 2011 will be subject to the old disclosure policy whereas any vulnerabilities, where coordination began in 2012 and going forward, is subject to the new disclosure policy.
Chief Security Specialist