Dissemination of vulnerabilities by security professionals and software vendors is on the increase, as organisations recognise their mutual dependence on early discovery.
Analyst Frost & Sullivan finds 74 vulnerabilities disclosed in Q3 of 2008 and says that, although that was down on previous periods, the number has been rising, and is expected to keep climbing.
However, security practitioners remain divided on the topic of contribution compensation programmes, blurring the lines between responsible disclosure and full disclosure. So Frost & Sullivan believes that although many software vendors understand the importance of vulnerability research, a few are still uncooperative.
“While the vulnerability research market is highly dynamic, there remain only a few companies that walk the line ethically,” comments Frost & Sullivan research analyst Christopher Rodriguez. “This market faces several polarised points of debate and has much more potential for growth than it has shown so far.”
He expects significant growth with the release of new applications, citing automated testing tools, such as fuzzers, that now help researchers to find bugs faster. And he comments on the potential for financial reward, with the emergence of ‘bug bounty’ programmes.
|