If your hardware or software vendor issues a lot of PSIRT (Product Security Incident Response Team) notifications, is that a good thing or a bad thing? After all, a PSIRT bulletin means that there’s a security issue with the product, so lots of PSIRTs means that the product is insecure, right?
What about the alternative, then? If a vendor issues very few PSIRT notifications does it mean that their product is somehow more secure? This is an issue I’ve been thinking about a lot over the last year, and the conclusion I came to is that if a vendor is not issuing regular bulletins, it’s a bad thing. Either the vendor doesn’t think its customers should be aware of vulnerabilities in the product, or perhaps the bugs aren’t being fixed. A PSIRT bulletin involves the vendor admitting that it got something wrong and potentially exposed its customers to a security vulnerability, and I’m ok with that. Sure, I don’t like sloppy coding, but I do appreciate the transparency.
I believe that when a vendor is shy about publishing security notifications it’s probably a decision made by management based on the naive belief that limiting the number of times they admit to a security vulnerability will give the impression to their customers that the product is, by inference, more secure. I’d argue though that the opposite is true. We know that coders make mistakes and we know that common libraries used by developers within their code or within the OS have bugs in them. As a nerd, I want to see those bugs; I need to see those bugs. Far from making me think the vendor sucks, it proves to me that the vendor acknowledges that there are issues, is responsive to vulnerabilities, and is proud to say that they have fixed them (hopefully quickly).
My 2 Bits
The announcement of a vulnerability, potential workarounds and the all-important “fixed-in” version, is operationally critical to users of the product. A vendor that quietly fixes bugs without announcing them runs the risk of its customers not realizing how important it is to upgrade their installed codebase, and thus leaves the customer vulnerable and unaware, for months or even years.
For our part as engineers, we should not be casting doubt upon companies that issue frequent PSIRTs. In my opinion the alternative is much worse.