It’s No ‘Giggle’: Managing Expectations for Vulnerability Disclosure

2020-09-11 19:18

"Facebook's VDP addresses vulnerabilities of third parties, which helps to normalize vulnerability disclosure," security researcher and bug-hunter Mike Takahashi told Threatpost.

While the VDP moves are net positives for cybersecurity, the juxtaposition of VDP rollouts with Giggle issue shows that VDPs aren't simply a blanket golden ticket to a harmonious vendor-researcher relationship, researchers noted.

For instance: Providing clear boundaries for security researchers in terms of ethical hacking; offering clarity on what is in scope and what's not; and specifying how long a researcher must wait before disclosing publicly, even if there is no patch available.

Overall, expectations need to improve - both for researchers and vendors - and appropriately structured VDPs can be a big key to that, he said.

"Researchers are surprised by a vendor's response, and vendors are surprised by a researcher's disclosure. We as an industry have been doing disclosure long enough that there should be no surprises."

News URL

https://threatpost.com/giggle-managing-expectations-vulnerability-disclosure/159039/

#disclosure #vulnerability