As software replaces hardware in domains across all major sectors, Durbin says security researchers regularly uncover vulnerabilities and make them public in an effort to improve security. But manufacturers have begun responding to this trend with legal action rather than working with the researchers to fix the vulnerabilities. The ISF believes this trend will become even more prevalent over the next two years, leaving customers with software riddled with vulnerabilities manufacturers have hidden rather than fixed.
"We have seen an increase in the number of researchers that have been silenced with lawsuits and such being chucked at them Durbin says. He points to one large retailer in Australia that has responded by providing bounties to white hat hackers that can crack their systems before they launch them. "You need to be pretty brave to be doing that and you certainly need a sign-off from the top of the organization," he adds. The ISF recommends that technology buyers insist on greater transparency during the procurement process, including access to the manufacturer's vulnerability discovery policy and external vulnerability testing results. For manufacturers, the ISF recommends you consider offering financial rewards to researchers who responsibly disclose vulnerabilities. If necessary, use mediation services to agree to satisfactory disclosure practices.