Software vulnerability reporting

Software vulnerabilities are gateways that allow threats to manifest and affect a system. This allows the system to be compromised due to a weakness within the software. A vulnerability assessment searches for these weaknesses to remedy the issues arising out of them.

The issues involved in software vulnerability reporting are the following:

• Plausible Denial – Most vulnerability are exploited after initial test attacks, which test the weakness of the system. Some vendors argue that full disclosure of vulnerability creates more potent variants, which may affect the system more.

• Vendor Interests – A vendor usually finds it more feasible to offer security patches as a bundle, as opposed to provide a patch for each flaw as it is discovered. The problem with this approach is that while each vulnerability fix will be resource consuming and expensive, a bundle allows a weakness to remain for a longer period.

• User Interests – Users generally are the biggest victims of unresolved weaknesses in a system. Since the vendor’s method of developing the bundle and installing patches leaves the system vulnerable, many security experts now support the view to publicize the existence of a weakness as soon as possible. This approach allows the attackers to isolate and attack a flaw until a patch is provided.