Vendors Offer Plan for Disclosing Software Security Holes
Security researchers say their concerns were ignored, slam vendor 'loopholes'
Computerworld - A multivendor team led by Microsoft Corp. last week released new guidelines for security vulnerability reporting and response. But critics of the effort faulted it for its lack of nonvendor buy-in.
The voluntary group of 11 security companies and software developers, known collectively as the Organization for Internet Safety (OIS), has been engaged in a yearlong effort to standardize the process through which security researchers and software vendors work together on finding, fixing and releasing information about software vulnerabilities to the public.
In the past, software vendors and security researchers have been at loggerheads over the practice of full disclosure, under which vulnerability information is publicly released before vendors have a chance to respond to it.
Key elements of the process approved last week include a requirement for vendors to set up an established point of contact for receiving vulnerability information and a provision that vendors should respond within seven days to a vulnerability report.
The process also sets forth a 30-day period to find a fix, during which the vulnerability information won't be publicly disclosed by the finder, and a 30-day grace period after a fix has been issued before supplemental details such as exploit code can be released by the finder.
The OIS guidelines are an effort to create a process that is acceptable to vendors and researchers and keeps the security interests of users at the forefront, said Scott Blake, vice president of information security at Houston-based BindView Corp., one of the members of the OIS.
"The process relies on good faith by both parties," Blake said. "Users' interests are the primary consideration."
Vendors Only?
But some independent security researchers claimed that the OIS effort is unbalanced.
"The vendors forming the OIS represent anybody but the security researchers," said Thor Larholm, a security researcher at PivX Solutions LLC, a Newport Beach, Calif.-based network security consultancy.
"The OIS is a specification made by vendors for vendors," Larholm added. "The guidelines provide absolutely no incentive for most security researchers to follow the process. There are simply too many loopholes for any vendor to continue [its] current process of downplaying the severity of vulnerabilities."
"Hiding information about bugs hurts ordinary users and systems administrators," said Georgi Guninski, a Bulgarian bug hunter who has discovered numerous flaws in Microsoft products and has previously been criticized by the company for irresponsible disclosure.
"In most cases, when a security bug is announced by a [finder], the same [finder] gives an efficient solution to the problem," Guninski said, noting the lag time built into the OIS guidelines.
Scott Culp, senior security strategist at Microsoft, said the guidelines won't relieve any of the pressure that full disclosure imposes on vendors. In fact, he said, the opposite is true, noting that there's a timetable built into the process and that a company can be held accountable if it fails to respond to a reported vulnerability.


- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Practice Management: Double Billing Rate and Improve Patient Services
- Would you like to double your billing rate and achieve faster payment for services?
Download this customer success story to see how One Health... - Mission Critical Data Explosion and Customer Case Study
- Would you like to double your tier 1 storage capacity while simultaneously reducing your storage footprint?
Download this customer success story to see how... - Protecting Against Database Attacks and Insider Threats: Top 5 Scenarios
- Read this new eBook to learn the top five scenarios and essential best practices for preventing database attacks and insider threats.
- Database Activity Monitoring Is Evolving
- Read the analyst report and learn how you can leverage the core capabilities of a DAP solution for better database security.
- Establishing a Strategy for Database Security is No Longer Optional
- The options for securing increasingly valuable databases are very broad and deep, and can be confusing. This research provides an overview of three... All Malware and Vulnerabilities White Papers
- Distributed Database Security with Real-time Monitoring
- View this demo and learn how IBM InfoSphere Guardium database activity monitoring can help protect your sensitive data in distributed DBMS environments with...
- InfoSphere Warehouse Packs Demo
- These flash modules make warehousing more tangible and relevant to business users through detailed explanations of the InfoSphere Warehouse Packs.
- Delivery Management -- Extending Lifecycle Management
- Date: Wednesday, June 20, 2012, 1:00 PM EDT
Siloed organizations continue doing the wrong things and doing things wrong, leading to increased costs,... - Leverage automation today to reduce IT complexity
- Date: Tuesday, June 5, 2012, 2:00 PM EDT
Whether your B2B complexity is caused by multiple technologies due to M&A, business or application specific... - Redefine Expectations in the Data Center
- Need to do more with less? Watch this video to learn how HP ProLiant Gen8 servers can help your business deploy servers three... All Malware and Vulnerabilities Webcasts