When I read this link,
I lived a well-known story I saw many times… I totally agree with them, and I would like to add some word to their letter:
@hdmoore linked the Rapid7 Disclosure policy: 60 days as maximum time given to the Vendor to patch… they are many, in a working environment. If you need more time to fix a “standard” vuln (memory corruption, sql injection, XSS, RFI, …) please re-think one of your process: do you develop bad code, with too many security bugs? Do you not undertake a correct Risk Analisys? Is your Incident Team too slow to address the issue after the Security Researcher/Consultant/Pentester submitted the bug?
until your Development Processes + Incident Handling Teams/Process + Risk Analisys & Management Structures will not communicate and will not see themselves as interrelating structures, you will not get even closer to real security. Your “quick” response (2-3 months or even a year!) is inappropriate to this new world.
Bad guys have twitter to share vulns in 15 minutes; they google your watermarks to find your product deployed on small or big companies! Small sites/companies are attacked for anonymization, DDOS, find customer’s data, spam, phishing, … and big ones can be totally owned for you vulns.
Yes, bad guys can own a company because of your bugs: just think about it, if I have found a big issue in only 5 days, what could an “armed&dangerous” team do in 3 months? And why will they target you? Who knows, perhaps because one day someone will look at you old-fashioned-web1.0-app, with no ajax and few css support, and will start thinking “how old this one is?”…
Please, stop thinking “I have reviewed my policies/processes 4 years ago, they are ok”… No, they’re not, 4 years ago no one used twitter or FB or google+ like today. 4 years ago cloud services waere pioneristic! 4 years ago there were not Stuxnet or DuQu, integrated malaware with extensive capabilities.
You have to rethink yourself as attackers became more powerful, and world goes on… If you think about it now, you have time to do big changes that will lead to a more secure state, if you continue delaying, please believe me when I say that tomorrow could be too late for your business
A Senior Security Consultant