Cisco Talos updated its timeline for responsible disclosure of vulnerabilities to give vendors and developers more...
time to fix flaws before researchers go public with details of vulnerabilities. Under the new timeline, vendors will have up to 90 days to patch a vulnerability before Talos publishes the full disclosure report; previously, Talos allowed vendors no more than 60 days before publishing details of an unpatched vulnerability.
According to Talos -- the security intelligence and research group within Cisco -- the change reflects consideration of a number of factors, including feedback from vendors, analysis of average amount of time needed by vendors to patch their vulnerabilities and "improving the protection of everyday users on the internet by ensuring viable vulnerability disclosure takes place over a suitable time period."
"It is uncomfortable to acknowledge that if a white hat team has discovered a vulnerability in a high value target, it stands to reason their adversaries may also be trying to exploit the same issue," wrote Mitch Neff, Talos group outreach manager, in a blog post. "Researchers must carefully balance the needs and capabilities of vendors to fix a product with the safety and security of our customers and the community as a whole."
While the industry average time-to-patch (TTP) is 78 days, according to Talos there were significant differences in the TTP between open source projects and commercial products, as well as significant differences between vendors that on average patch faster than the established guidelines and those that patch more slowly.
"Commercial vendors are subdivided into leading (within the policy timeframe) and lagging (taking longer than the established timeframe)," Neff wrote. Among the lagging vendors, the average TTP was 113 days while the average for leading vendors was only 38 days. The average TTP for all open source vendors was 42 days.
Talos found the most responsive software vendors in the fastest patching group shared common traits: "All are large commercial vendors of popular consumer software, have taken a public stance on product security and have active bug bounty programs. This indicates these companies have invested heavily in product security and take that security seriously," Neff wrote. "They are competitive with open source companies in terms of time to patch. It is encouraging that the number of companies in this category [is] increasing, although the lagging end of the commercial space still managed to drag the overall average down from [about] 40 to 78 days."
Cisco Talos' new timeline for responsible disclosure begins counting when Talos first notifies the vendor of a vulnerability by email; a second email notification follows after seven days if the vendor does not respond to the first notice. At Day 15, Talos posts the original vendor notification date on the Cisco Talos vulnerability tracker website, and at Day 45, Talos notifies the Carnegie Mellon Computer Emergency Response Team (CERT). Previously, CERT notification would have occurred at Day 15, but an extra 30 days was added because CERT discloses unpatched vulnerabilities 45 days after it is notified. Full disclosure of the vulnerability occurs at Day 90 -- or after it is patched.
The new timeline for responsible disclosure may give vendors a bit more time to patch vulnerabilities, but Cisco reserves the right to speed up or slow down the timetable under certain circumstances under the new responsible disclosure policy: "Cisco will attempt to work with any vendor on reasonable adjustments to the timeline if progress is being made and the default timeline is not adequate for creating a patch or other type of mitigation that addresses the vulnerability. Extenuating circumstances, such as threats of any nature, may result in adjustments to disclosures and timelines."
Find out more about what happened when a researcher bypassed the timeline for responsible disclosure.
Learn about the reaction to the Badlock vulnerability disclosure.
Read about the problem with branded vulnerabilities.