Deploying JP Vendor Status Notes (JVN) for Dissemination of Security Information Throughout Japan
1. Vendor response to relentless security attacks
In recent years, we have seen a rapid escalation of computer viruses, unauthorized access attempts, and other malicious attacks exploiting security vulnerabilities of cyber systems. For example, "SQL Slammer" made its debut in January 2003, followed by the "Blaster" virus in August, "Sobig" in September, "Sasser" in May 2004, and others just within recent memory. In the present day when the Internet has become a critical part of the social infrastructure, this kind of extensive and growing damage to cyber systems has the potential of bringing the operations of companies and government agencies to a grinding halt. The more recent appearance of viruses targeting mobile phones and reported vulnerabilies of other digital consumer products are very troubling developments, for they are clear signs that ordinary users could be much more adversely affected by these kinds of attacks than in the past.
Damage can usually be contained by fixing the vulnerability of each software product and server targeted by an attack, but responding after a virus has done its damage is too late. One preventative approach that could greatly mitigate the potential adverse impacts of vulnerabilities would be to inform the product vendor but not the general public when a vulnerability is discovered. The vendor could then develop a patch that is made extensively available at the same time that the vulnerability is announced to the public. Indeed, there is no question that this kind of environment must be put in place as a public framework. We have entered a period when the software product developers are also becoming proactively involved in this framework.
