Should vendors close all security holes?

In last week’s column, I argued that vendors should close all known security holes. A reader wrote me with a somewhat interesting argument that I’m still slightly debating, although my overall conclusion stands: Vendors should close all known security holes, whether publicly discussed or not. The idea behind this is that any existing security vulnerability should be closed to strengthen the product and protect consumers. Sounds great, right?

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

The reader wrote to say that his company often sits on security bugs until they are publicly announced or until at least one customer complaint is made. Before you start disagreeing with this policy, hear out the rest of his argument.

“Our company spends significantly to root out security issues," says the reader. "We train all our programmers in secure coding, and we follow the basic tenets of secure programming design and management. When bugs are reported, we fix them. Any significant security bug that is likely to be high risk or widely used is also immediately fixed. But if we internally find a low- or medium-risk security bug, we often sit on the bug until it is reported publicly. We still research the bug and come up with tentative solutions, but we don’t patch the problem.”

He continues, “We have five main arguments for waiting to close a noncritical, internally found, security bug. First, in the grand scheme of things, we’d rather spend our resources on high-risk bugs, whether publicly known or unknown. Every medium- or low-risk security bug in the pipeline essentially slows down the whole process. We have a fixed number of resources. We don’t have an unlimited budget like Microsoft.”

[Note: Even Microsoft doesn’t have an unlimited budget for security fixes. -- Roger]

“Second, we give next priority to any publicly known bug. We get evaluated on the bugs known by the public and how fast we close them. You even tout your beloved Secunia.com, and they publicize how fast vendors patch known vulnerabilities. People are checking out that site, and others, to see how well our product stacks up to the competition. Senior management certainly cares how the media portrays us. And nobody, not even senior management, knows about the internally found bugs. We’d be crazy to concentrate on anything else.