Cisco’s Talos threat intelligence business has decided to extend its bug disclosure window from 60 to 90 days in a bid to give vendors more time to patch their products.
The firm decided on the new disclosure window after consulting the vendor community and its own data on average times to patch, according to the firm’s Mitch Neff.
As it now stands, the vendor will be contacted once on “day zero” and then again a week later. If they are still unresponsive after 45 days a vulnerability report will be forwarded to Carnegie Mellon Computer Emergency Response Team (CERT).
The vendor will then have a further 45 days to respond before public disclosure of the bug.
However, Neff confirmed that “extenuating circumstances, such as threats of any nature, may result in adjustments to disclosures and timelines either forward or backward.”
Cisco’s change of heart is partly down to data it pulled from previous bug reports, which illuminates the difference between open source and commercial communities.
The industry average time to patch stood at 78 days, with open source (42 days) appearing far more responsive than commercial (> 80 days).
However, breaking down the latter revealed those “leading” commercial vendors are actually doing better than their open source rivals – averaging 38 days.
It’s the “lagging vendors” which drag the overall commercial figure down, taking 113 days on average to patch.
“Interestingly, several large commercial vendors of consumer software were found in the Leading category. The most responsive of these vendors were noted as ‘Quick Turn-around Commercial’ vendors in our data - and they share some common traits,” explained Neff.
“All are large commercial vendors of popular consumer software, have taken a public stance on product security, and have active bug-bounty programs. This indicates these companies have invested heavily in product security and take that security seriously.”