Open Tech Support
Open Tech Support Archives
Back to HomeCommunityReviewsGuidesDownloadsTech LinksMarketplaceContact Us
 »  SITE NAVIGATION
»  OTS Home
»  OTS Forums
»  OTS Archives

»  About our site
»  Search our site
»  Support our site

»  What is this site?
»  Who are we?
 
 
 »  ADVERTISMENT
 
  Pages: 1

Fed-up customers want faster bug alerts

 (Click here to view the original thread with full colors/images)

Posted by: Tweaker

Corporate customers are sick and tired of software flaws.

A study of more than 300 companies published last week found that nearly 80 percent of companies support security consultants and hackers releasing information about software vulnerabilities even when the developers aren't prepared, and that they want news of potential flaws within a week.

The desire for greater and more rapid disclosure comes more out of spite than as a way to increase security. Slightly more than half of those in favor of disclosure seemed to support it as a way to embarrass software companies that haven't done an adequate job busting bugs in their programs, rather than as a way to protect themselves against future attack.

"They are tired of software vendors not writing good code," said Pete Lindstrom, director of security strategies for the Hurwitz Group, a technology consultancy.

While software companies' customers seem to be generally dissatisfied with the quality of the product they're buying, they aren't ready to switch to another provider based on poor security alone, the survey found.

"It is really kind of fascinating," said Lindstrom. "Not only do you have end users that are fed up, but despite that, no one will get rid of their software because of vulnerabilities. There doesn't seem to be a great answer to this."


In my opinion, a software company has the responsibility to take proper measures when learning about a bug. However, circumstances can arise where alerting the public immediately is not *always* the right way to go. For example, if your customers are powerless over the issue, they might be more aware, but they are also more at risk; as soon as the customer knows, the hacker knows. Also, if a company is trying to isolate an issue in order to solve it, any disturbances can become problems.

So all in all, I do believe that software companies have a responsibility to be forthcoming. However, I do not think that blanket rules can be applied. I think software companies should use good judgment (but of course that's an idealistic approach).

The article here.

Source: C/NET News


 
Copyright 2000-2008 Open Tech Support. All Rights Reserved. Site Design and Development by Tolitz Rosel.