Google Posts Sharp Criticism Of Vunerable Data Base

Google has posted sharp criticism of vulnerability database services in the wake of recent report.

Adam Mein of Google's security team said in a recent blog posting that the process of collecting and producing reports on security vulnerabilities generated data that was "commonly outdated or inaccurate to some degree."

"To make these databases more useful for the industry and less likely to spread misinformation, we feel there must be more frequent collaboration between vendors and compilers," Mein wrote.

"As a first step, database compilers should reach out to vendors they plan to cover in order to devise a sustainable solution for both parties that will allow for a more consistent flow of information."

The posting comes in the wake of a report from IBM's X-Force on software vulnerabilities. The report claimed that Google had 33 per cent of its reported flaws unpatched.

Mein said that the issue was due to a mistake in the classification of one of the three high-risk error reports it had seen. Following the correction, the company's percentage of unpatched flaws went from 33 to zero.

In a posting to a company blog, X-Force manager Tom Cross acknowledged the corrections and urged developers to get in contact with the company regarding any errors or inaccuracies in its vulnerability database.

"This sort of input is crucial for us, with more input from software vendors about vulnerability information we get greater accuracy in our snapshot of the industry," he wrote.

print this article

Return to security news headlines
View Security News Archive

Share with: