Bug disclosure, fix process improving

Computerworld - Several users welcomed the growing willingness of vendors and security researchers to work together to identify and fix software vulnerabilities in the wake of last week's disclosure of a major hole in a widely used e-mail protocol (see story).
But they also expressed concern over the practice by some in the security community to release vulnerability information to certain users before making it available to the public.
Atlanta-based security vendor Internet Security Systems Inc. (ISS) and Emeryville, Calif.-based Sendmail Inc. last week disclosed the existence of a major buffer-overflow vulnerability in the sendmail mail-transfer agent, which handles more than 50% of all Internet e-mail traffic.
ISS, which first discovered the hole in early December, said it began in mid-January to work closely with the National Infrastructure Protection Center -- now part of the U.S. Department of Homeland Security -- to warn government and military agencies of the flaw.
The sendmail incident exemplified a welcome change in attitude relating to vulnerability discovery, disclosure and response, users said.
"The security community is becoming more responsible and is making better decisions with regard to when they should disclose a vulnerability," said Mike Tindor, vice president of network operations at First USA Inc., an Internet service provider in St. Clairsville, Ohio.
There is a growing realization that "making a vulnerability public without a fix is not in the industry's best interest," said Anthony DeVoto, a Windows NT administrator at Volvo Finance North America Inc. in Montvale, N.J.
"It's kind of like a car company coming out on the 6 o'clock news and saying your car is going to blow up and they don't know how to fix it," said David Krauthamer, director of information systems at Advanced Fibre Communications Inc., a Petaluma, Calif.-based manufacturer of telecommunications equipment. "I think the software and security industry has matured to the point where it is unacceptable to put customers in a position of such vulnerability," he added.
Meanwhile, software vendors, which continue to come under heavy criticism for developing buggy products, are getting "a little bit better" at disclosing and responding to bug reports, said Edward York, chief technology officer at 724 Inc., a Lampoc, Calif.-based hosting provider.
Groups such as the Organization for Internet Safety are trying to propose standard guidelines for reporting and responding to vulnerability information. And several security companies have voluntarily adopted policies governing the release of vulnerability information.
"The processes surrounding vulnerability disclosure have changed significantly during the past few years for the community as a whole," said Thor Larholm, a security researcher at PivX Solutions LLC, a network security consultancy in Newport Beach, Calif. Instead of making ad hoc disclosures, PivX has a 30-day grace period for vendors to fix a problem before the public is made aware of it.
Questionable Practices
Despite such progress, other issues remain, users said.
For instance, ISS's decision to prenotify several government and military agencies of the problem is understandable given today's heightened security concerns, users said. But it highlights a practice that can encourage "information segregation and concealment," said Paul Schmehl, adjunct information security officer at The University of Texas at Dallas.
Many security organizations -- including the CERT Coordination Center at Carnegie Mellon University in Pittsburgh and ISS -- routinely sell advance vulnerability information to paying subscribers. Strict nondisclosure agreements govern such prenotifications, said Dan Ingevaldson, a security researcher at ISS.
But "safe practice is that only the vendor should be notified [of a flaw] so they can test it and create a patch. Only then should the information be made available to anyone else," said York.