acm-header
Sign In

Communications of the ACM

ACM News

Sloppy Software Patches Are a 'Disturbing Trend'


ZDI says it has noticed a worrying trend of companies disclosing less specific information about vulnerabilities in their public security alerts, making it more difficult for users around the world to assess how serious a vulnerability is and formulate pa

Credit: Getty Images

The whole purpose of vulnerability disclosure is to notify software developers about flaws in their code so they can create fixes, or patches, and improve the security of their products. But after 17 years and more than 10,000 vulnerability disclosures, the Zero Day Initiative is calling out a "disturbing trend" at the Black Hat security conference in Las Vegas today and announcing a plan to apply some counterpressure.

ZDI, which has been owned by the security firm Trend Micro since 2015, is a program that buys vulnerability findings from researchers and handles disclosure to vendors. In exchange, Trend Micro, which makes an antivirus tool and other defense products, gets a wealth of information and telemetry that it can use to track research and hopefully protect its customers. The group estimates that it has handled roughly 1,700 disclosures so far this year. But ZDI says that from its bird's eye view, the quality of vendor patches overall has been slipping in recent years.

From Wired
View Full Article

 


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account