Delays in the release of updates can put companies and entire industries at risk.
Positive Technologies analyzed its own experience in interacting with software manufacturers in the field of vulnerability disclosure. The results showed that in 2022-2023, 57% of vendors responded promptly to research requests. However, only 14% of software companies released patches in the shortest possible time, and only 27% of vendors have a transparent and explicitly stated policy for disclosing vulnerabilities in their software.
Newly identified security flaws that the manufacturer does not yet know about and for which there are no patches are called zero-day vulnerabilities. As soon as the vendor learns of such a flaw, it is extremely important to immediately release an update, since delays give attackers more and more opportunities to exploit such vulnerabilities in their attacks.
The number of identified vulnerabilities is steadily increasing: in 2023, their number (28,902) exceeded the figures of the previous two years by 42% and 14%, respectively. Moreover, every incident and data leak costs businesses more and more: according to IBM, the average cost of a leak has jumped 15% over the past three years, reaching $ 4.45 million. In this regard, building trustful and transparent relationships between software developers and researchers in the field of information security plays a special role in strengthening security.
Delays in the responsible disclosure of vulnerability data are also fraught with an increase in attacks on supply chains: in the first three quarters of 2023, the number of incidents of this kind doubled compared to the figures for the whole of 2022.
Positive Technologies adheres to the principles of coordinated disclosure in cases of detection of vulnerabilities in vendor products. This approach involves regulators and organizations acting as intermediaries in interaction with suppliers, along with researchers and the software manufacturer.
Positive Technologies analyzed its own experience in interacting with software manufacturers in the field of vulnerability disclosure. The results showed that in 2022-2023, 57% of vendors responded promptly to research requests. However, only 14% of software companies released patches in the shortest possible time, and only 27% of vendors have a transparent and explicitly stated policy for disclosing vulnerabilities in their software.
Newly identified security flaws that the manufacturer does not yet know about and for which there are no patches are called zero-day vulnerabilities. As soon as the vendor learns of such a flaw, it is extremely important to immediately release an update, since delays give attackers more and more opportunities to exploit such vulnerabilities in their attacks.
The number of identified vulnerabilities is steadily increasing: in 2023, their number (28,902) exceeded the figures of the previous two years by 42% and 14%, respectively. Moreover, every incident and data leak costs businesses more and more: according to IBM, the average cost of a leak has jumped 15% over the past three years, reaching $ 4.45 million. In this regard, building trustful and transparent relationships between software developers and researchers in the field of information security plays a special role in strengthening security.
Delays in the responsible disclosure of vulnerability data are also fraught with an increase in attacks on supply chains: in the first three quarters of 2023, the number of incidents of this kind doubled compared to the figures for the whole of 2022.
Positive Technologies adheres to the principles of coordinated disclosure in cases of detection of vulnerabilities in vendor products. This approach involves regulators and organizations acting as intermediaries in interaction with suppliers, along with researchers and the software manufacturer.
