Vulnerability Disclosure Survey

If you have a moment, take this survey.

This research project seeks to understand how secrecy and openness can be balanced in the analysis and alerting of security vulnerabilities to protect critical national infrastructures. To answer this question, this thesis will investigate:

  1. How vulnerabilities are analyzed, understood and managed throughout the vulnerability lifecycle process.
  2. The ways that the critical infrastructure security community interact to exchange security-related information and the outcome of such interactions to date.
  3. The nature of and influences upon collaboration and information-sharing within the critical infrastructure protection community, particularly those handling internet security concerns.
  4. The relationship between secrecy and openness in providing and exchanging security-related information.

This looks interesting.

Posted on January 25, 2006 at 8:24 AM13 Comments


Aze January 25, 2006 10:11 AM

Hmmm.. now, if the survey primarily contains people who read Bruce S. Blog, will it be fully representative of the general public?

Davi Ottenheimer January 25, 2006 11:29 AM

It’s kind of easy to see where Rick is going with this survey, but a couple questions threw me. For example I had a hard time understanding what he meant by this:

“Secrecy can be a convenient method to conceal management errors.”

If you say no, does your answer get interpreted to mean secrecy is always inconvenient to conceal management errors? (“Can” as in possible).

Pat Cahalan January 25, 2006 12:42 PM

@ Miles

I sure don’t.

Sounds like it’s a web site that is being blocked by a proxy? You on a corporate network?

Try TOR 🙂

Pat Cahalan January 25, 2006 12:44 PM

@ Davi

I agree, some of the questions are leading. Some of them are also very subjective. I’d like to see the results of the study, just to see how they are presented.

Anonymous January 27, 2006 3:00 PM

A agree with some fo the others that the questions were a bit leading (I agree with Davi?!?? Shocking!). Of course, rigging polls is more common than not.

My answer to several of the questions would be “it depends.” I can think of some areas – for instance, a security flaw that only affects major core routers – that would be best shared only within the group of customers until a patch is available. Like everything else in life, some discretion is necessary. But IMHO the strongly preferred default is full disclosure.

Rich January 30, 2006 1:38 AM

Too many subjective ways to interpret the questions in this one. I’d like to see what quantitative formulas they use to analyze these results. Classic “survey 101” problems with this set of questions, but I am interesting in seeing the results nonetheless (just read the conclusions with your own serving of salt).

Ron January 30, 2006 2:58 PM

It’s ironic that in order to take the survey on
security, you need to have set your browser to
poor security. I filled out the first page and clicked
“continue” and nothing happened. It requires that
you have JavaScript turned on.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.