Group issues framework for vulnerability reports

The Organization for Internet Safety (OIS) is wading more deeply into the murky waters of vulnerability disclosure, releasing a draft document that lays out best practices for reporting and responding to software security vulnerabilities.

The draft document, "Security Vulnerability Reporting and Response Process," was published Wednesday on the OIS Web site. (See: http://www.oisafety.org/process.html)

The document is intended as a reference for software vendors and individuals or organizations involved in reporting security vulnerability information, according to the OIS.

Established in September, 2002, the OIS is made up of representatives from technology vendors and security research consultancies. Members include leading companies such as Microsoft Corp., Oracle Corp., Internet Security Systems Inc. and Network Associates Inc.

The best practices document, it is hoped, will clarify a system that is currently muddied by the conflicting priorities and interests of software vendors and security researchers, according to Scott Blake, vice president of information security at OIS member BindView Corp.

The process outlined by the OIS can serve as a basis for developing security reporting and response policies, the OIS said.

Goals and guidelines for both the finder and responder to security vulnerability information are provided for each step in the vulnerability disclosure process, from initial discovery through final release of the vulnerability information.

On the sensitive issue of vendors responding to information about vulnerabilities in their products, the OIS said that both the vendor and the party that finds a vulnerability should work to establish an appropriate timeframe to respond, taking into account the urgency of the problem and the technical challenge of investigating it.

The OIS draft document supported the customary 30-day grace period following initial discovery of a vulnerability.

However, the document also recommended a second 30-day hold on publication of detailed technical information related to the vulnerability following the release of a patch.

The idea was to give users a head start getting caught up with a vulnerability rather than having to respond to immediate attacks that take advantage of the security hole, Blake said.

The document also makes recommendations on a wide variety of other issues, from the kind of information that researchers should report to vendors to steps vendors should take to streamline vulnerability reporting and keep researchers updated as vulnerabilities are investigated.

Steps for resolving disputes and deadlocks between vendors and security researchers over the existence or severity of vulnerabilities are also provided.

Still, the group steered away from thornier issues.

Questions about the legality of publishing certain types of security vulnerability information stemming from the Digital Millennium Copyright Act were left out of the document, according to Blake.

"We're not lawyers and don't want to provide legal advice," Blake said.

Following a 30-day comment period, the OIS will weigh the comments it received from the community and incorporate any "good" comments into a final draft of the reporting procedures, which will be unveiled in July at the Black Hat USA 2003 trade symposium in Las Vegas, Blake said.

While the group has no ability to enforce its policies on other security researchers, the level of experience of the OIS representatives and the effort put into creating the document should give weight to the group's recommendations, Blake said.

The group is hoping that market forces play a role, as well, with the OIS standards becoming a way to discriminate between different organizations' practices, he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?