Dave Bullock / eecue

photographer, director of engineering: crowdrise, photojournalist, hacker, nerd, geek, human

State of Disclosure Panel

Jerry Dixon

The big vendors are more willing to talk to the researchers and the end users are more apt to work with the vendors. Most vendors are very cooperative about security issues and disclosure. The Cicso incident has made big vendors more willing to work with end users and security researchers, and all in all the incident was good for the security industry. Large customers of big vendors want earlier disclosure information to be shared with them before the smaller customers, but the consensus is that early disclosure for big customers is a bad idea, even to the point of not giving preferred treatment even to internal networks and devices. A very large part of the discussion involved when vendors have a vulnerability and not a fix. There was no clear consensus on this topic, but the vendors felt they shouldn't disclose a vulnerability unless they have a fix for it except in extreme circumstances. Vendors don't want to draw attention to a flaw that people don't know about, so they aren't likely to disclose. One of the best things is that vendors are talking more, talking to researchers and working together to fix problems.