Vendor group publishes vulnerability disclosure guidelines

Computerworld - LAS VEGAS -- A group of 11 security companies and software developers, known collectively as the Organization for Internet Safety (OIS), this week released the first version of a consensus document governing the reporting and release of security vulnerability information (download PDF).

The OIS, a voluntary group of 11 high-profile vendors formed last September, on July 29 released Version 1.0 of its long-awaited "Guidelines for Security Vulnerability Reporting and Response." The 25-page document is the result of a yearlong effort to standardize how security researchers and software vendors work together to find, fix and release information about software vulnerabilities to the public. A draft version of the document had been released in early June for public comment.

The current industry model of full disclosure has been a contentious and often politically charged issue. It has divided the security community into two camps, one consisting mainly of independent researchers, who feel that vendors are only out to protect themselves and their customers. The other camp includes vendors, which feel that researchers don't always adhere to the accepted practice of first notifying a vendor before making vulnerability and exploit data public.

"The environment has changed during the past seven to 10 years," said Chris Wysopal, director of research and development at @stake Inc. and co-author of the infamous Windows password-cracking program, L0phtCrack. "[In the past], vendors weren't communicating with anybody who wasn't a big customer. And they had no process at all."

The OIS guidelines are an effort to create a process acceptable to both researchers and vendors, one that keeps the security interests of users at the forefront, said Scott Blake, vice president of information security at BindView Corp. in Houston. "The process relies on good faith by both parties, and users' interests are the primary consideration."

According to Blake, the OIS incorporated substantial feedback from the security community in its final guidelines and devised a five-step process. Key to that process is a standardized and established point of contact that must be provided by the vendor so researchers know exactly who to notify, said Blake. In addition, a vendor has seven days to acknowledge receipt of the vulnerability report, or the researcher is free to make a public announcement. Finally, the OIS will rely on a 30-day grace period after a fix has been issued by the vendor to hold back the release of what he called "supplementary data" related to exploit code.

That should afford everybody affected by the vulnerability enough time to install patches before exploits begin to appear in the hacker community, said the OIS.