Infosec pros don't have the luxury of playing favorites in terms of where credible threat information comes from, so I think it would be a bad idea to take any legitimate threat information less seriously.
That being said, clearly there are a number of security researchers out there that are more interested in their own celebrity status than helping out the industry, but those individuals are few and far between. Most of the researchers I know actually lose money by doing their research -- given the opportunity cost of poking at applications and network infrastructure -- as opposed to billing large customers a lot of money to tell them where they are exposed.
The X-Force survey was arbitrary at best. It used a criticality metric that is subjective and probably not relevant to most organizations. Of course, they have to keep their own research teams motivated, so it's clear why they would beat the drum for that kind of survey.
A lot of these rumblings about independent security researchers are irrelevant. The sooner a potential security issue is exposed, the better. If that information comes from a big company, that's great. If it comes from an independent researcher, that's good, too.
Keep in mind the bad guys don't play favorites. Neither should anyone else.
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Mike Rothman
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ... Continue Reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.