ISS revamps disclosure process on security warnings

IDG News Service - Internet Security Systems Inc. (ISS), which has been criticized for publicly releasing information about security problems in software before giving application developers time to deal with holes, has issued a revised set of guidelines for how it will handle security warnings.
Atlanta-based ISS posted the guidelines on its Web site yesterday, along with a statement from Chris Rouland, director of the company's X-Force group of security experts, whose aim is to determine online threats and issue information about them. Security researchers need standards that take into account the public's need to know about vulnerabilities but that also "give ample consideration to software vendors working to remedy issues in their products," the statement said.
The guidelines, available in a six-page document (download PDF), include four phases: discovery, vendor notification, customer notification and public disclosure. The guidelines are the same for all vendors, so developers of open-source and proprietary software are given equal treatment.
The change in ISS's guidelines comes after the company was criticized for releasing information in June about problems with the widely used Apache Web server software without giving developers much time to tend to the holes first (see story).
Under the guidelines, which are dated Nov. 18, X-Force will document security vulnerabilities in a draft advisory and then create a brief about the problem. X-Force will then contact the affected vendor, which is defined as a company, group or organization that develops and provides software, hardware or firmware for sale or for free.
X-Force will work with the vendor to reproduce the vulnerability and provide information about it and may also help with testing patches or work-arounds.
Vendors will have 30 days after the initial notification from X-Force to come up with a fix unless a different agreement is in place. X-Force also listed the following procedural exceptions when faster disclosure will occur: the vendor issues a patch or announcement; an in-depth discussion of the problem occurs on a public mailing list; active exploitation of any form of the vulnerability is seen on the Internet; ISS receives reliable evidence that a vulnerability is in the wild; the media reports the vulnerability; the vendor is unresponsive.
Otherwise, the usual procedure is for X-Force after 30 days to contact The Mitre Corp., a nonprofit research company in Bedford, Mass., to receive a common vulnerability and exposures candidate number that sets a standard name for the vulnerability.
X-Force will also send a final advisory draft to the vendor for review and comment before taking the advisory public, and it maintains theright to notify or coordinate with third-party groups or government entities during the process of releasing the advisory.
The security brief will be made available to X-Force Threat Analysis Service customers one business day after the initial vendor notification. X-Force will revise security briefs if additional information becomes available as the advisory is developed.
After the 30-day period is up, X-Force will publicly release the security brief to a number of mailing lists, forums and groups and will also post it on its Web site and through its Threat Analysis Service.

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.