Skip the navigation

Vendor group publishes vulnerability disclosure guidelines

Top execs hope researchers and hackers will back a 'responsible' disclosure process

By Dan Verton
July 31, 2003 12:00 PM ET

Computerworld - LAS VEGAS -- A group of 11 security companies and software developers, known collectively as the Organization for Internet Safety (OIS), this week released the first version of a consensus document governing the reporting and release of security vulnerability information (download PDF).


The OIS, a voluntary group of 11 high-profile vendors formed last September, on July 29 released Version 1.0 of its long-awaited "Guidelines for Security Vulnerability Reporting and Response." The 25-page document is the result of a yearlong effort to standardize how security researchers and software vendors work together to find, fix and release information about software vulnerabilities to the public. A draft version of the document had been released in early June for public comment.


The current industry model of full disclosure has been a contentious and often politically charged issue. It has divided the security community into two camps, one consisting mainly of independent researchers, who feel that vendors are only out to protect themselves and their customers. The other camp includes vendors, which feel that researchers don't always adhere to the accepted practice of first notifying a vendor before making vulnerability and exploit data public.


"The environment has changed during the past seven to 10 years," said Chris Wysopal, director of research and development at @stake Inc. and co-author of the infamous Windows password-cracking program, L0phtCrack. "[In the past], vendors weren't communicating with anybody who wasn't a big customer. And they had no process at all."


The OIS guidelines are an effort to create a process acceptable to both researchers and vendors, one that keeps the security interests of users at the forefront, said Scott Blake, vice president of information security at BindView Corp. in Houston. "The process relies on good faith by both parties, and users' interests are the primary consideration."


According to Blake, the OIS incorporated substantial feedback from the security community in its final guidelines and devised a five-step process. Key to that process is a standardized and established point of contact that must be provided by the vendor so researchers know exactly who to notify, said Blake. In addition, a vendor has seven days to acknowledge receipt of the vulnerability report, or the researcher is free to make a public announcement. Finally, the OIS will rely on a 30-day grace period after a fix has been issued by the vendor to hold back the release of what he called "supplementary data" related to exploit code.


That should afford everybody affected by the vulnerability enough time to install patches before exploits begin to appear in the hacker community, said the OIS.



Additional Resources
Forrester Consulting - Optimizing Users and Applications in a Mobile World
WHITE PAPER
Solving application issues over the WAN requires careful consideration. Based on their independent research, Forrester Consulting offers recommendations on how to tackle application performance issues, insufficient bandwidth and the inability to quickly restore users in a disaster.

Read now.

Security KnowledgeVault
WHITE PAPER
Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.

Read now.

Cut Communications Costs Once and for All
WHITE PAPER
New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.

Read now.

Malware and Vulnerabilities White Papers
Reducing the Cost and Complexity of Web Vulnerability Management
Hackers and cybercriminals are constantly refining their attacks and targets; which means you need agile tools to stay ahead of them.

Download this...
Overcome Top 7 Admin Challenges of Active Directory
As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
Insiders Can Ruin Your Company. Take Action.
Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
Top Solutions and Tools to Prevent Devastating Malware
Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
Streamline Compliance and Increase ROI
Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will...
All Malware and Vulnerabilities White Papers
Malware and Vulnerabilities Webcasts
Optimizing Networks for the Cloud
Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn...
Virtualize Business-Critical Applications with Confidence
Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere®...
All Malware and Vulnerabilities Webcasts
Newsletter Sign-Up

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  1. View all newsletters | Privacy Policy
IT Jobs