14 DAY TRIAL // Secunia, the company that’s famous for researching and assessing vulnerabilities found in many commercial products, revealed a 2012 policy change which dictates that vulnerabilities discovered by their internal team or via their Secunia Vulnerability Coordination Reward Program (SVCRP) will be made public after half a year.
Since 2003, when the company began coordinating security weaknesses with vendors, the deadline has been of one year, but in the meantime they kept discussing the possibility of making the deadline longer or shorter.
The main reason for the coordination deadline is to ensure that vendors have the necessary time to fix and test the flaws, but also to pressure them enough to make sure the patches are not delayed due to inefficiency.
“Looking at the vulnerabilities coordinated over the past years, the majority were fixed within 6 months. Many of the vulnerabilities coordinated for longer than 6 months could likely have been fixed within 6 months had the vendors been more efficient during the coordination process,” Carsten Eiram chief security specialist at Secunia said.
“Only in a few complex cases, did it make sense to provide vendors with more time to properly address a coordinated vulnerability.”
After careful consideration, Secunia Research decided to change the deadline to a six-month “semi-hard deadline” for the majority of coordinated vulnerabilities.
While most vendors have nothing to be concerned about, there are a few that proved themselves to be highly inefficient in the process of issuing patches for their products, this being one of the main reasons why the deadline is shortened. They hope that by pressuring them even more, companies will speed up their processes.
Of course, there are exceptional cases where this new deadline may need to be extended and in such situations, the firm can provide vendors an extra time of six months to secure their products.