---------- Forwarded message ----------
From: security curmudgeon 
To: InfoSec News 
Cc: errata submission , 
john.leyden@theregister.co.uk
Date: Thu, 11 Jul 2002 07:48:40 -0400 (EDT)
Subject: Re: [ISN] Show us the bugs - users want full disclosure


> http://www.theregister.co.uk/content/55/26090.html
>
> By John Leyden
> Posted: 08/07/2002 at 15:34 GMT
>
> End-users overwhelmingly support the full disclosure of security
> vulnerabilities, according to a recent survey by analysts Hurwitz 
Group,
> which demonstrates widespread frustration about vendor responsiveness 
to
> security issues.
>
> Based on interviews with more than 300 software security 
professionals,
> the report shows that end users overwhelmingly support full 
disclosure -
> announcing security vulnerabilities as soon as they are discovered. 
The
> end users surveyed for the report are clearly angry that vendors are
> releasing insecure applications, and then not responding when flaws 
are
> detected, Hurwtiz reports.
>
> "They see full disclosure in public forums and in the press as the 
only
> way to force vendors to respond to vulnerabilities caused by poorly
> written and insecure code. In fact, end users overwhelmingly support
> full disclosure even if it means exposing security flaws within their
> organisation that could have a negative impact on their company," it
> writes.

Oh now this is rich. Let's look at this and divulge a little truth about
the survey. The survey that got sent out to 300 "security professionals"
asked this question of the participants regarding their role in the
company:

Which of the following best describes your function in the organization?
 Executive Management (CxO, VP, Senior Director, etc)
 Senior Management (Director, Manager, etc.)
 Functional (Engineer, Analyst, Administrator, etc.)


This isn't being sent out to 300 "security professionals". This is being
sent out to 300 random IT people that may or may not work in the 
security
industry, who may or may not manage security people. The fact that they
did not disclose this is reprehensible. Further, to use this survey
without disclosing the participants and conclude "end users 
overwhelmingly
support full disclosure" is appalling.

This type of report is no better than the recent Alexis de Tocqueville
"study" or the annual CSI/FBI survey. I simply can't believe this got
passed off as 'news'.
[an error occurred while processing this directive]