Ads by TechWords

See your link here
Receive the latest technology news and information.
Security
Virus and Vulnerability Roundup
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

Vendor group publishes vulnerability disclosure guidelines

Top execs hope researchers and hackers will back a 'responsible' disclosure process

July 31, 2003 12:00 PM ET

Computerworld - LAS VEGAS -- A group of 11 security companies and software developers, known collectively as the Organization for Internet Safety (OIS), this week released the first version of a consensus document governing the reporting and release of security vulnerability information (download PDF).


The OIS, a voluntary group of 11 high-profile vendors formed last September, on July 29 released Version 1.0 of its long-awaited "Guidelines for Security Vulnerability Reporting and Response." The 25-page document is the result of a yearlong effort to standardize how security researchers and software vendors work together to find, fix and release information about software vulnerabilities to the public. A draft version of the document had been released in early June for public comment.


The current industry model of full disclosure has been a contentious and often politically charged issue. It has divided the security community into two camps, one consisting mainly of independent researchers, who feel that vendors are only out to protect themselves and their customers. The other camp includes vendors, which feel that researchers don't always adhere to the accepted practice of first notifying a vendor before making vulnerability and exploit data public.


"The environment has changed during the past seven to 10 years," said Chris Wysopal, director of research and development at @stake Inc. and co-author of the infamous Windows password-cracking program, L0phtCrack. "[In the past], vendors weren't communicating with anybody who wasn't a big customer. And they had no process at all."


The OIS guidelines are an effort to create a process acceptable to both researchers and vendors, one that keeps the security interests of users at the forefront, said Scott Blake, vice president of information security at BindView Corp. in Houston. "The process relies on good faith by both parties, and users' interests are the primary consideration."


According to Blake, the OIS incorporated substantial feedback from the security community in its final guidelines and devised a five-step process. Key to that process is a standardized and established point of contact that must be provided by the vendor so researchers know exactly who to notify, said Blake. In addition, a vendor has seven days to acknowledge receipt of the vulnerability report, or the researcher is free to make a public announcement. Finally, the OIS will rely on a 30-day grace period after a fix has been issued by the vendor to hold back the release of what he called "supplementary data" related to exploit code.


That should afford everybody affected by the vulnerability enough time to install patches before exploits begin to appear in the hacker community, said the OIS.



Jump to comments

Viruses

Additional Resources

Xerox
By using solid ink technology only from Xerox, you could save up to 65% by printing color for the cost of black and white. Enter for a chance to WIN a PhaserTM 8860 network color printer!
Microsoft
Save time and mitigate security risk. Deploy it now.
Sybase
In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions.

Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.