ISS revamps disclosure process on security warnings
IDG News Service - Internet Security Systems Inc. (ISS), which has been criticized for publicly releasing information about security problems in software before giving application developers time to deal with holes, has issued a revised set of guidelines for how it will handle security warnings.
Atlanta-based ISS posted the guidelines on its Web site yesterday, along with a statement from Chris Rouland, director of the company's X-Force group of security experts, whose aim is to determine online threats and issue information about them. Security researchers need standards that take into account the public's need to know about vulnerabilities but that also "give ample consideration to software vendors working to remedy issues in their products," the statement said.
The guidelines, available in a six-page document (download PDF), include four phases: discovery, vendor notification, customer notification and public disclosure. The guidelines are the same for all vendors, so developers of open-source and proprietary software are given equal treatment.
The change in ISS's guidelines comes after the company was criticized for releasing information in June about problems with the widely used Apache Web server software without giving developers much time to tend to the holes first (see story).
Under the guidelines, which are dated Nov. 18, X-Force will document security vulnerabilities in a draft advisory and then create a brief about the problem. X-Force will then contact the affected vendor, which is defined as a company, group or organization that develops and provides software, hardware or firmware for sale or for free.
X-Force will work with the vendor to reproduce the vulnerability and provide information about it and may also help with testing patches or work-arounds.
Vendors will have 30 days after the initial notification from X-Force to come up with a fix unless a different agreement is in place. X-Force also listed the following procedural exceptions when faster disclosure will occur: the vendor issues a patch or announcement; an in-depth discussion of the problem occurs on a public mailing list; active exploitation of any form of the vulnerability is seen on the Internet; ISS receives reliable evidence that a vulnerability is in the wild; the media reports the vulnerability; the vendor is unresponsive.
Otherwise, the usual procedure is for X-Force after 30 days to contact The Mitre Corp., a nonprofit research company in Bedford, Mass., to receive a common vulnerability and exposures candidate number that sets a standard name for the vulnerability.
X-Force will also send a final advisory draft to the vendor for review and comment before taking the advisory public, and it maintains the right to notify or coordinate with third-party groupsor government entities during the process of releasing the advisory.
The security brief will be made available to X-Force Threat Analysis Service customers one business day after the initial vendor notification. X-Force will revise security briefs if additional information becomes available as the advisory is developed.
After the 30-day period is up, X-Force will publicly release the security brief to a number of mailing lists, forums and groups and will also post it on its Web site and through its Threat Analysis Service.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts