Recently, information exchange and information disclosure about security information of computer programs are operated on a global scale through the Internet, by CERT, other volunteer organizations, and private enterprises. Herein, the security information refers to the information about security hole which may cause security measure problems due to design errors and bugs of computer programs.
At the present, however, a good-willed user discovering a security hole may be mistaken for a perilous hacker, or may be involved in troubles with computer program developer, and the present environment is far from safe for exchanging and disclosing security information openly by anyone. This is contrary to the stream of open system represented by the Internet, and may impede development of computer programs commonly shared by the mankind. In such background, means and methods for solving these problems effectively have been desired.
The computer program developer attempts to wipe out design errors, bugs and other security holes thoroughly in the test stage, and present a sound computer program to users. Actually, however, it is extremely difficult to discover all security holes in the test stage, and users often finds security holes not detected by the developer only after starting to use the computer program.
Users finding security holes may present detailed information about security holes as security information, either directly to the developer, or at the security information site on the Internet. In such a case, the developer, when judging that the presented security information is useful, takes measures by presenting a patch program for correction or the security information to the users.
In the existing environment, the security information is presented from users to the developer, either directly or through the security information site on the Internet. Hitherto, however, good-willed users presenting the security information are often accused as perilous hackers, or involved in troubles with the developer not willing to disclose the presence of security holes.
Therefore, in the present situation, users having useful security information often hesitate to present the security information in order to avoid such accusation and troubles. Such environment impedes improvement of quality of computer program, and is not beneficial for both developers and users.
For the developers, on the other hand, it is difficult to collect security information dispersed on the Internet efficiently, and it may take tremendous labor and cost to sort out only useful information from the security information varied very much in quality. It has been attempted to classify the dispersed security information, but successful results are not obtained. At last, the developer are forced to follow the conventional technique of collecting massive amount of security information and sorting out useful information only.
The invention is devised in the light of such background, and it is hence an object thereof to present a security information mediation apparatus capable of organizing an environment easy for users to present security information, and allowing the developers to collect useful security information at low cost, and its security information mediation method, and a computer-readable recording medium recording a security information mediation program.