10.6. RESPONDING TO SECURITY PROBLEMS

No matter how diligent you are, there's always the possibility that a vulnerability will be discovered in your application. A threat you decided was not of a high enough priority to address might actually turn out to be targeted by an attacker after all. A security researcher, eager to get his first post to the Bugtraq mailing list, could decide to publicize a vulnerability you thought unlikely to be uncovered. None of this should be surprising — the goal of the risk analysis and mitigation techniques presented here has always been to expend a reasonable effort to reduce the risk of attack, not obliterate the chance of attack at all costs. Anyway, for whatever reason, you now have a vulnerable application in the wild, and your customers have it, too.

10.6.1. Handling Security Bug Reports

Once a vulnerability has been discovered in your application, you need to manage a reaction to that vulnerability. Of course it must be fixed, but that is only part of the process. You must communicate with the reporter and your customers to ensure that the risks are well understood, and update your view of the risks facing your application.