It\u2019s not every day that the Chief Information Security Officer (CISO) at the world\u2019s largest automaker gets to present a keynote talk at a hacker convention. So when General Motors CISO Eric Litt was asked to do precisely that at the European Black Hat Convention in Amsterdam earlier this year, he used the chance to reach out to the hacker community. His goal: present to the hackers his look at the problems large corporations face when dealing with software vulnerabilities -- and the manner in which they are disclosed and remedied. Litt spoke Wednesday with Computerworld about those same issues. Excerpts from the interview follow:Why is this issue of vulnerability disclosure practices so important to you?If you are a CISO, you really are stuck in the middle between a bunch of different constituents that are out there. You have the researchers and the academic folks and then you have the software vendors -- and we have to deal with the cards that get dealt to us. Somebody releases off-the-shelf software and it has got vulnerabilities in it. If those vulnerabilities don\u2019t get plugged, I have to deal with the fact that I have vulnerable code in my environment. Then we have people out there who are trying to figure out how to hack into an environment or to exploit a vulnerability and they may be doing it for different ethical or non-ethical reasons. And I have to try and protect my environment.In your opinion what should responsible vulnerability disclosure and remediation practices be about?I broke the problem into a bunch of different viewpoints when I did the Black Hat thing. If you take a look at the exploiter\u2019s view of the world, what\u2019s in it for them? What motivates them? Fame, fortune, curiosity and creativity. They want attention, they want money. If you look at the ethical researchers\u2019 world, they are out there motivated by the same things. The differentiator is what they do with the information they get. So as I sit here as the CISO of a large company, don\u2019t I want things to be discovered? Absolutely, because I want to make sure vulnerabilities are plugged. Don\u2019t I want people to be rewarded for the work they have done? Absolutely. If they are not rewarded on the clean side, they\u2019ll be rewarded on the dirty side. People always will find a way to get rewards.So what is responsible disclosure?Suppose there\u2019s a vulnerability in some platform and you discover it right now and you go tell the world about it. Some researchers would say that\u2019s exactly what you should [do] because otherwise the vendor won\u2019t address it. And I say, \u2018Wait a minute. Time out. You are now telling people how I can be compromised and that\u2019s a big problem.\u2019 [On the other hand], you discover something and you tell vendor XYZ that there\u2019s a vulnerability in their product and they do nothing for 200 days, they simply are not responsive. What do you expect the researcher to do? So we haven\u2019t created between the vendor, the ethical researcher and the business consumer an environment that is synergistic and that we can all benefit from. I think it is doable, but I\u2019m not sure anybody is really taking on that challenge.How should vendors be responding to vulnerabilities that are discovered in their products?In an ideal world there wouldn\u2019t be any vulnerabilities and they wouldn\u2019t have to disclose anything. But that is not the world. Really critical vulnerabilities must be plugged immediately, whatever \u2018immediately\u2019 might be. On the other hand, what is critical? I think what you are seeing in the industry today is that most of the vendors are trying to be very conservative in their ratings of vulnerabilities. What they are really trying to do is limit the exposure that gets generated from them having had a vulnerability. As a vendor, if you call everything critical then you\u2019ve covered your bases. You\u2019ve said here\u2019s the vulnerability, here\u2019s the fix for it and you need to do it right away.How is this affecting you?One of the challenges that we are having as a group is that vendors don\u2019t tell us everything they have fixed. As an example, when a product vendor releases a patch they say it is critical and addresses a vulnerability in XYZ service. At the same time, the patch addresses vulnerabilities in three other services -- but we don\u2019t know that when we review the release notes associated with the patch. And we say that it\u2019s not really critical because we have other mitigating controls that can address the vulnerability. So we are not going to make it a fire drill, critical patch deployment -- we are going to treat it as medium criticality in our environment. What we don\u2019t know is that there are three other holes that have been plugged, and, by the way, we don\u2019t have mitigating controls for one or more of those and we may get bitten.So what would you rather see happen?It\u2019s very context dependent. In my position, of course, I\u2019d like to know everything [relating to a vulnerability]. But is that reasonable? And if you are in a vendor\u2019s shoe could you do that? As a vendor, who can you trust and who can\u2019t you trust [with vulnerability news]. Can you trust every CISO out there, every CIO out there, every CTO out there? The answer is clearly, no. So how do you differentiate? If you go tell the federal government something and are not telling me about it, then I get mad at you. Or if you go and tell the press something and don\u2019t tell me about it, I get mad at you. I think enough information should be released so that people can make a reasonable assessment of how vulnerable they are. But we don\u2019t want to provide information that helps unethical people compromise systems before those issues can be addressedHow is all of this forcing you to respond?We don\u2019t continuously want to have our environment in turmoil from being forced to constantly patch and patch in rapid fashion without having the ability to validate that these patches are not going to hurt us. If we roll something out and then we have to fix it because we blew up our own environment, we did worse perhaps than if we had done nothing at all. So we need to have time. CISOs need to have a strategy to buy themselves time so they can do due diligence.What\u2019s your strategy for doing this?If you think about it, many exploits try to load code onto a device for a variety of reasons -- either to directly compromise a system, take control of it over time or to use it as a bot in future etc. So a technology that for example, would prevent automated, non-authenticated deployment of executable software on a device could help prevent those types of exploits. If you can\u2019t put the code on my machine, that thing can\u2019t do a thing to me. And this can happen not just at the client level, but the server level and the network infrastructure as well.Microsoft has drawn a lot of criticism for its security failures. How do the other major vendors compare?I think Microsoft is an easy target, so people pick on Microsoft all the time. You can complain about Microsoft all you want, but you also have to recognize they have made significant investments and I think they have made significant progress. They are still not where we want them to be, but they are significantly better. Then you start looking at the other people and say \u2018What kind of a job are they doing\u2019? There was one who released 82 or 83 patches very recently. Not stellar, right? I am glad they were released, but on the other hand you are talking core business systems here. With those kind of changes in the software, did they all happen to be discovered at the same point in time or were they just held back? And how long was I vulnerable that I didn\u2019t know I was vulnerable? So Microsoft is not the only one with this problem. And quite frankly, I think some of the other vendors are in denial and they are the ones that worry me the most.