Vendors Offer Plan for Disclosing Software Security Holes
Security researchers say their concerns were ignored, slam vendor 'loopholes'
August 4, 2003 12:00 PM ETComputerworld - A multivendor team led by Microsoft Corp. last week released new guidelines for security vulnerability reporting and response. But critics of the effort faulted it for its lack of nonvendor buy-in.
The voluntary group of 11 security companies and software developers, known collectively as the Organization for Internet Safety (OIS), has been engaged in a yearlong effort to standardize the process through which security researchers and software vendors work together on finding, fixing and releasing information about software vulnerabilities to the public.
In the past, software vendors and security researchers have been at loggerheads over the practice of full disclosure, under which vulnerability information is publicly released before vendors have a chance to respond to it.
Key elements of the process approved last week include a requirement for vendors to set up an established point of contact for receiving vulnerability information and a provision that vendors should respond within seven days to a vulnerability report.
The process also sets forth a 30-day period to find a fix, during which the vulnerability information won't be publicly disclosed by the finder, and a 30-day grace period after a fix has been issued before supplemental details such as exploit code can be released by the finder.
The OIS guidelines are an effort to create a process that is acceptable to vendors and researchers and keeps the security interests of users at the forefront, said Scott Blake, vice president of information security at Houston-based BindView Corp., one of the members of the OIS.
"The process relies on good faith by both parties," Blake said. "Users' interests are the primary consideration."
Vendors Only?
But some independent security researchers claimed that the OIS effort is unbalanced.
"The vendors forming the OIS represent anybody but the security researchers," said Thor Larholm, a security researcher at PivX Solutions LLC, a Newport Beach, Calif.-based network security consultancy.
"The OIS is a specification made by vendors for vendors," Larholm added. "The guidelines provide absolutely no incentive for most security researchers to follow the process. There are simply too many loopholes for any vendor to continue [its] current process of downplaying the severity of vulnerabilities."
"Hiding information about bugs hurts ordinary users and systems administrators," said Georgi Guninski, a Bulgarian bug hunter who has discovered numerous flaws in Microsoft products and has previously been criticized by the company for irresponsible disclosure.
"In most cases, when a security bug is announced by a [finder], the same [finder] gives an efficient solution to the problem," Guninski said, noting the lag time built into the OIS guidelines.
Scott Culp, senior security strategist at Microsoft, said the guidelines won't relieve any of the pressure that full disclosure imposes on vendors. In fact, he said, the opposite is true, noting that there's a timetable built into the process and that a company can be held accountable if it fails to respond to a reported vulnerability.
Viruses
Additional Resources



White Papers & Webcasts
Share our Strength
Download Now
Key Strategies for Managing Data Growth
What are you storage challenges?
Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.
Extending Client Refresh - 11 Steps to Maximize Savings
Register Now!
Eradicate Spam & Gain 100% Asurance of Clean Mailboxes
Get this paper now!
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Mastering eDiscovery: The IT Manager's Guide to Preservation, Protection & Production
Get this paper now!
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Not Just Words: Enforce Your Email and Web Acceptable Usage Policies
Get this paper now!
Consolidate Your Servers and Storage to Lower Costs with Oracle Database 11g
Register for this webcast!
