Cisco Logo


Security

About a month ago, there was a coordinated disclosure on a flaw in TCP which affected a number of vendors, including Cisco. As is often the case when a vulnerability is disclosed in a widely-deployed technology such as TCP, it’s in the best interests of customers and the industry alike that everyone agrees on a common solution to the issue, as well as a date and time of disclosure. In this most recent event, the issue was first reported over a year ago — so what took vendors so long to formally address the flaw?

The answer is not complex, but it does merit explanation. There are multiple factors which can affect the temporal aspect of a vulnerability disclosure. For example, as the number of affected products and vendors increase in size, so does the ‘number of cats that need to be herded.’ Frankly, this is often frustrating for the researcher(s) who discovered the flaw in the first place, as the time between initial report of the vulnerability and coordinated disclosure by the vendors feels unnecessarily long. So what could possibly take a year? In no particular order of importance, consider the following variables:

These are what I believe are the key factors that ultimately influence the timeline of disclosure for industry-wide vulnerabilities. If you think I’ve missed something or have a different view on the subject, I’d like to hear from you.

Comments Are Closed

  1. Return to Countries/Regions
  2. Return to Home
  1. All Security
  2. All Security
  3. Return to Home