With continued debate around responsible disclosure and increased attention around security research techniques, Tripwire wanted to get a pulse on what the community considers responsible practices today. In surveying 147 attendees at the RSA Conference in San Francisco a couple weeks ago, we found out a number of interesting perspectives.

Most respondents favored shorter timelines in disclosing vulnerabilities publicly. When asked what’s a reasonable amount of time for allowing a vendor to fix a vulnerability before full public disclosure, 32 percent selected the shortest option of 60 days, followed by 25 percent who said public disclosure does not need to wait on a vendor fix.

Opinions were split on whether people should be allowed to test security constraints of a company’s products/services without upfront approval from that company, with 50 percent believing they should not be allowed and 49 percent saying they should be allowed.

This has been a point of debate recently around new cybersecurity legislation in Georgia, which would affect responsible security researchers’ abilities to do things in the public interest.

As Tripwire security researcher Craig Young has said in response to the proposed legislation:

Security researchers are the first defenders against data breaches. Ethical hackers find vulnerabilities in systems and expose them to product vendors so they can be patched before they are exploited maliciously. Finding and exposing these vulnerabilities is not a criminal act, it is done with the intent of making the products safer for consumer use.

Eighty-four percent of the survey participants did feel that more legislation is needed to protect people/organizations from malicious hackers, though many felt lawmakers need guidance – for 35 percent, it was “Yes, but in partnership with infosec experts.”

The survey also explored participants’ own organizations’ experiences in receiving vulnerability reports. Thirty-sixpercent said that their organization has (Read more...)