Vendors Offer Plan for Disclosing Software Security Holes

Computerworld - A multivendor team led by Microsoft Corp. last week released new guidelines for security vulnerability reporting and response. But critics of the effort faulted it for its lack of nonvendor buy-in.

The voluntary group of 11 security companies and software developers, known collectively as the Organization for Internet Safety (OIS), has been engaged in a yearlong effort to standardize the process through which security researchers and software vendors work together on finding, fixing and releasing information about software vulnerabilities to the public.

In the past, software vendors and security researchers have been at loggerheads over the practice of full disclosure, under which vulnerability information is publicly released before vendors have a chance to respond to it.

Key elements of the process approved last week include a requirement for vendors to set up an established point of contact for receiving vulnerability information and a provision that vendors should respond within seven days to a vulnerability report.

The process also sets forth a 30-day period to find a fix, during which the vulnerability information won't be publicly disclosed by the finder, and a 30-day grace period after a fix has been issued before supplemental details such as exploit code can be released by the finder.

The OIS guidelines are an effort to create a process that is acceptable to vendors and researchers and keeps the security interests of users at the forefront, said Scott Blake, vice president of information security at Houston-based BindView Corp., one of the members of the OIS.

"The process relies on good faith by both parties," Blake said. "Users' interests are the primary consideration."

Vendors Only?

But some independent security researchers claimed that the OIS effort is unbalanced.

"The vendors forming the OIS represent anybody but the security researchers," said Thor Larholm, a security researcher at PivX Solutions LLC, a Newport Beach, Calif.-based network security consultancy.

"The OIS is a specification made by vendors for vendors," Larholm added. "The guidelines provide absolutely no incentive for most security researchers to follow the process. There are simply too many loopholes for any vendor to continue [its] current process of downplaying the severity of vulnerabilities."

"Hiding information about bugs hurts ordinary users and systems administrators," said Georgi Guninski, a Bulgarian bug hunter who has discovered numerous flaws in Microsoft products and has previously been criticized by the company for irresponsible disclosure.

"In most cases, when a security bug is announced by a [finder], the same [finder] gives an efficient solution to the problem," Guninski said, noting the lag time built into the OIS guidelines.

Scott Culp, senior security strategist at Microsoft, said the guidelines won't relieve any of the pressure that full disclosure imposes on vendors. In fact, he said, the opposite is true, noting that there's a timetable built into the process and that a company can be held accountable if it fails to respond to a reported vulnerability.