Responsible disclosure for vendors?

By Space Rogue No comments

If a vendor finds a vulnerability in a competitors code are they obligated to tell them? What exactly is ethical and or responsible disclosure when it comes to competing vendors? Among security researchers the general consensus these days is to notify the vendor and then wait a reasonable amount time for a patch to be developed before going public. While this scenario is for the most part agreed upon and followed it is by no means a perfect solution. Now through in competing vendors and it gets even stickier.
Recently the Mozilla group was notified of an exploit in their code which they dutifully fixed. In the process they evidently realized that the same hole effected the Opera browser. Like good net citizens they notified Opera of the hole but did not wait around for Opera to fix it.
So is Opera justified in being a little miffed at Mozilla for not waiting for a fix or should they be happy that they got notified at all? Should vendors be held to the same ethical standards as researchers when it comes to vulnerability disclosure even if it is with a competitors product? Why have we had this same problem for decades without some sort of solution?

Leave a Reply