Computerworld
Quick Menu
Search



Ads by TechWords

See your link here


Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 
Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Vendor group publishes vulnerability disclosure guidelines

Top execs hope researchers and hackers will back a 'responsible' disclosure process
 

Sign up to receive Security Resource Alerts

July 31, 2003 (Computerworld) -- LAS VEGAS -- A group of 11 security companies and software developers, known collectively as the Organization for Internet Safety (OIS), this week released the first version of a consensus document governing the reporting and release of security vulnerability information (download PDF).


The OIS, a voluntary group of 11 high-profile vendors formed last September, on July 29 released Version 1.0 of its long-awaited "Guidelines for Security Vulnerability Reporting and Response." The 25-page document is the result of a yearlong effort to standardize how security researchers and software vendors work together to find, fix and release information about software vulnerabilities to the public. A draft version of the document had been released in early June for public comment.


The current industry model of full disclosure has been a contentious and often politically charged issue. It has divided the security community into two camps, one consisting mainly of independent researchers, who feel that vendors are only out to protect themselves and their customers. The other camp includes vendors, which feel that researchers don't always adhere to the accepted practice of first notifying a vendor before making vulnerability and exploit data public.


"The environment has changed during the past seven to 10 years," said Chris Wysopal, director of research and development at @stake Inc. and co-author of the infamous Windows password-cracking program, L0phtCrack. "[In the past], vendors weren't communicating with anybody who wasn't a big customer. And they had no process at all."


The OIS guidelines are an effort to create a process acceptable to both researchers and vendors, one that keeps the security interests of users at the forefront, said Scott Blake, vice president of information security at BindView Corp. in Houston. "The process relies on good faith by both parties, and users' interests are the primary consideration."


According to Blake, the OIS incorporated substantial feedback from the security community in its final guidelines and devised a five-step process. Key to that process is a standardized and established point of contact that must be provided by the vendor so researchers know exactly who to notify, said Blake. In addition, a vendor has seven days to acknowledge receipt of the vulnerability report, or the researcher is free to make a public announcement. Finally, the OIS will rely on a 30-day grace period after a fix has been issued by the vendor to hold back the release of what he called "supplementary data" related to exploit code.


That should afford everybody affected by the vulnerability enough time to install patches before exploits begin to appear in the hacker community, said the OIS.


However, security experts attending the Black Hat security conference here questioned the motivations of the OIS, saying that it appears to be an effort to increase the value of for-profit early-notification lists that some security companies offer. "It sounds like a wonderful way to notify customers who pay for advance notification," said one audience member.

Continued...
1 | 2 | NEXT  



Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story
"Mainframe security pilot fish works for a company that has big iron in the U.S., Europe and Asia -- and..." Read more...
Read more Security posts or See all Blogs
Microsoft: 'Vista Capable' lawyers trying to hijack Windows Update
Update: McCain protests YouTube's removal of his campaign videos
Virtualization leads Gartner's top 10 strategic technologies for 2009
More top stories...
Remote Control: NASA works to repair Hubble's failed computer
Cisco demos public rooms for TelePresence
Oracle issues 36 patches, but is anyone applying them?
How bad? 'I thought I was going to throw up,' Jennifer Brunner recalls.
Think your project's off track and over budget? Learn a lesson or two from these infamous project flameouts.
In our hands-on testing, the new Xohm WiMax network from Sprint was fast and smooth -- but for now, you have to be in Baltimore to get it.
College student David Kernell allegedly broke into a middle school server eight years ago, according to a former teacher.
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Business Continuity Zone
The File Data Management Zone
Security Management Zone
The SAS Zone
Business Intelligence and Analytics Zone
Windows Protection Zone
The Enterprise Search Zone
Software as a Service Zone
The Security Zone

Ads by TechWords

See your link here
Moving to Windows Vista: The Promise, The Reality
Moving to Windows Vista: The Promise, The Reality
View this exclusive webcast today!
Go to the webcast 
Computerworld Executive Bulletin: Building a Robust Antivirus Defense
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
(Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more.
Download this executive briefing download
Quick Sizing Guide for SAS Grid Running on HP BladeSystems and EVA Storage
Download this white paper today!
(Source: HP) Designed for CIOs, IT managers, data center managers and grid computing architects seeking to improve performance, SAS Grid Computing on the HP BladeSystem c-Class helps accelerate growth and mitigate risks with a simplified, consolidated infrastructure that's agile enough to efficiently handle change. SAS Grid Manager on HP BladeSystem can lower costs through automation, virtualization and improved IT efficiency.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Protecting Data on Laptops: Why Encryption Isn't Enough
Grant Thornton Achieves 99.7% Tracking of Remote Assets
Virtualization Technologies and Their Impact on Disaster Recovery
View more whitepapers