ISS revamps disclosure process on security warnings
IDG News Service - Internet Security Systems Inc. (ISS), which has been criticized for publicly releasing information about security problems in software before giving application developers time to deal with holes, has issued a revised set of guidelines for how it will handle security warnings.
Atlanta-based ISS posted the guidelines on its Web site yesterday, along with a statement from Chris Rouland, director of the company's X-Force group of security experts, whose aim is to determine online threats and issue information about them. Security researchers need standards that take into account the public's need to know about vulnerabilities but that also "give ample consideration to software vendors working to remedy issues in their products," the statement said.
The guidelines, available in a six-page document (download PDF), include four phases: discovery, vendor notification, customer notification and public disclosure. The guidelines are the same for all vendors, so developers of open-source and proprietary software are given equal treatment.
The change in ISS's guidelines comes after the company was criticized for releasing information in June about problems with the widely used Apache Web server software without giving developers much time to tend to the holes first (see story).
Under the guidelines, which are dated Nov. 18, X-Force will document security vulnerabilities in a draft advisory and then create a brief about the problem. X-Force will then contact the affected vendor, which is defined as a company, group or organization that develops and provides software, hardware or firmware for sale or for free.
X-Force will work with the vendor to reproduce the vulnerability and provide information about it and may also help with testing patches or work-arounds.
Vendors will have 30 days after the initial notification from X-Force to come up with a fix unless a different agreement is in place. X-Force also listed the following procedural exceptions when faster disclosure will occur: the vendor issues a patch or announcement; an in-depth discussion of the problem occurs on a public mailing list; active exploitation of any form of the vulnerability is seen on the Internet; ISS receives reliable evidence that a vulnerability is in the wild; the media reports the vulnerability; the vendor is unresponsive.
Otherwise, the usual procedure is for X-Force after 30 days to contact The Mitre Corp., a nonprofit research company in Bedford, Mass., to receive a common vulnerability and exposures candidate number that sets a standard name for the vulnerability.
X-Force will also send a final advisory draft to the vendor for review and comment before taking the advisory public, and it maintains the right to notify or coordinate with third-party groupsor government entities during the process of releasing the advisory.
The security brief will be made available to X-Force Threat Analysis Service customers one business day after the initial vendor notification. X-Force will revise security briefs if additional information becomes available as the advisory is developed.
After the 30-day period is up, X-Force will publicly release the security brief to a number of mailing lists, forums and groups and will also post it on its Web site and through its Threat Analysis Service.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!