ISS revamps disclosure process on security warnings
IDG News Service - Internet Security Systems Inc. (ISS), which has been criticized for publicly releasing information about security problems in software before giving application developers time to deal with holes, has issued a revised set of guidelines for how it will handle security warnings.
Atlanta-based ISS posted the guidelines on its Web site yesterday, along with a statement from Chris Rouland, director of the company's X-Force group of security experts, whose aim is to determine online threats and issue information about them. Security researchers need standards that take into account the public's need to know about vulnerabilities but that also "give ample consideration to software vendors working to remedy issues in their products," the statement said.
The guidelines, available in a six-page document (download PDF), include four phases: discovery, vendor notification, customer notification and public disclosure. The guidelines are the same for all vendors, so developers of open-source and proprietary software are given equal treatment.
The change in ISS's guidelines comes after the company was criticized for releasing information in June about problems with the widely used Apache Web server software without giving developers much time to tend to the holes first (see story).
Under the guidelines, which are dated Nov. 18, X-Force will document security vulnerabilities in a draft advisory and then create a brief about the problem. X-Force will then contact the affected vendor, which is defined as a company, group or organization that develops and provides software, hardware or firmware for sale or for free.
X-Force will work with the vendor to reproduce the vulnerability and provide information about it and may also help with testing patches or work-arounds.
Vendors will have 30 days after the initial notification from X-Force to come up with a fix unless a different agreement is in place. X-Force also listed the following procedural exceptions when faster disclosure will occur: the vendor issues a patch or announcement; an in-depth discussion of the problem occurs on a public mailing list; active exploitation of any form of the vulnerability is seen on the Internet; ISS receives reliable evidence that a vulnerability is in the wild; the media reports the vulnerability; the vendor is unresponsive.
Otherwise, the usual procedure is for X-Force after 30 days to contact The Mitre Corp., a nonprofit research company in Bedford, Mass., to receive a common vulnerability and exposures candidate number that sets a standard name for the vulnerability.
X-Force will also send a final advisory draft to the vendor for review and comment before taking the advisory public, and it maintains the right to notify or coordinate with third-party groupsor government entities during the process of releasing the advisory.
The security brief will be made available to X-Force Threat Analysis Service customers one business day after the initial vendor notification. X-Force will revise security briefs if additional information becomes available as the advisory is developed.
After the 30-day period is up, X-Force will publicly release the security brief to a number of mailing lists, forums and groups and will also post it on its Web site and through its Threat Analysis Service.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts