Third Party Security Vulnerabilities - How Late is Too Late?

By now, I'm sure you've heard about the nightmare that is the Heartbleed bug.

One of the biggest problems with this bug is that OpenSSL is integrated into a lot of software, which means not only do you need to update any copies of OpenSSL, but you need to update software products which use OpenSSL.

Almost three weeks have gone by, and we're still seeing companies releasing updates to address this critical vulnerability.

This means for three weeks after public disclosure, products have been vulnerable without any means of fixing the problem.

Is it time to re-evaluate what is an acceptable time period for a company to release a security update to third party libraries?

No comments:

Post a Comment