Vulnerability Disclosure Survey

If you have a moment, take this survey.

This research project seeks to understand how secrecy and openness can be balanced in the analysis and alerting of security vulnerabilities to protect critical national infrastructures. To answer this question, this thesis will investigate:

  1. How vulnerabilities are analyzed, understood and managed throughout the vulnerability lifecycle process.
  2. The ways that the critical infrastructure security community interact to exchange security-related information and the outcome of such interactions to date.
  3. The nature of and influences upon collaboration and information-sharing within the critical infrastructure protection community, particularly those handling internet security concerns.
  4. The relationship between secrecy and openness in providing and exchanging security-related information.

This looks interesting.

Posted on January 25, 2006 at 8:24 AM • 13 Comments

Comments

AzeJanuary 25, 2006 10:11 AM

Hmmm.. now, if the survey primarily contains people who read Bruce S. Blog, will it be fully representative of the general public?

elambJanuary 25, 2006 10:33 AM

Bruce,

Check this out:

"I registered deusto.com in 1997. Now, eight years later, Planeta Agostini, one of the biggest publishing groups in Spain and owner of Ediciones Deusto, sends me letters via its lawyers demanding me to transfer them the domain, because they registered the trademark "deusto" in 2002 (I repeat, I registered the domain in 1997)."

http://wolfb.com/2006/01/big-publishing-group-demands-my-domain.html

Love to hear your take on this!!

Davi OttenheimerJanuary 25, 2006 11:29 AM

It's kind of easy to see where Rick is going with this survey, but a couple questions threw me. For example I had a hard time understanding what he meant by this:

"Secrecy can be a convenient method to conceal management errors."

If you say no, does your answer get interpreted to mean secrecy is always inconvenient to conceal management errors? ("Can" as in possible).

Pat CahalanJanuary 25, 2006 12:42 PM

@ Miles

I sure don't.

Sounds like it's a web site that is being blocked by a proxy? You on a corporate network?

Try TOR :)

Pat CahalanJanuary 25, 2006 12:44 PM

@ Davi

I agree, some of the questions are leading. Some of them are also very subjective. I'd like to see the results of the study, just to see how they are presented.

AnonymousJanuary 27, 2006 3:00 PM

A agree with some fo the others that the questions were a bit leading (I agree with Davi?!?? Shocking!). Of course, rigging polls is more common than not.

My answer to several of the questions would be "it depends." I can think of some areas - for instance, a security flaw that only affects major core routers - that would be best shared only within the group of customers until a patch is available. Like everything else in life, some discretion is necessary. But IMHO the strongly preferred default is full disclosure.

RichJanuary 30, 2006 1:38 AM

Too many subjective ways to interpret the questions in this one. I'd like to see what quantitative formulas they use to analyze these results. Classic "survey 101" problems with this set of questions, but I am interesting in seeing the results nonetheless (just read the conclusions with your own serving of salt).

RonJanuary 30, 2006 2:58 PM

It's ironic that in order to take the survey on
security, you need to have set your browser to
poor security. I filled out the first page and clicked
"continue" and nothing happened. It requires that
you have JavaScript turned on.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..