Group issues framework for vulnerability reports

The Organization for Internet Safety (OIS) is wading more deeply into the murky waters of vulnerability disclosure, releasing a draft document that lays out best practices for reporting and responding to software security vulnerabilities.

The draft document, "Security Vulnerability Reporting and Response Process," was published Wednesday on the OIS Web site. (See: http://www.oisafety.org/process.html)

The document is intended as a reference for software vendors and individuals or organizations involved in reporting security vulnerability information, according to the OIS.

Established in September, 2002, the OIS is made up of representatives from technology vendors and security research consultancies. Members include leading companies such as Microsoft Corp., Oracle Corp., Internet Security Systems Inc. and Network Associates Inc.

The best practices document, it is hoped, will clarify a system that is currently muddied by the conflicting priorities and interests of software vendors and security researchers, according to Scott Blake, vice president of information security at OIS member BindView Corp.

The process outlined by the OIS can serve as a basis for developing security reporting and response policies, the OIS said.

Goals and guidelines for both the finder and responder to security vulnerability information are provided for each step in the vulnerability disclosure process, from initial discovery through final release of the vulnerability information.

On the sensitive issue of vendors responding to information about vulnerabilities in their products, the OIS said that both the vendor and the party that finds a vulnerability should work to establish an appropriate timeframe to respond, taking into account the urgency of the problem and the technical challenge of investigating it.

The OIS draft document supported the customary 30-day grace period following initial discovery of a vulnerability.

However, the document also recommended a second 30-day hold on publication of detailed technical information related to the vulnerability following the release of a patch.

The idea was to give users a head start getting caught up with a vulnerability rather than having to respond to immediate attacks that take advantage of the security hole, Blake said.

The document also makes recommendations on a wide variety of other issues, from the kind of information that researchers should report to vendors to steps vendors should take to streamline vulnerability reporting and keep researchers updated as vulnerabilities are investigated.

Steps for resolving disputes and deadlocks between vendors and security researchers over the existence or severity of vulnerabilities are also provided.

Still, the group steered away from thornier issues.

Questions about the legality of publishing certain types of security vulnerability information stemming from the Digital Millennium Copyright Act were left out of the document, according to Blake.

"We're not lawyers and don't want to provide legal advice," Blake said.

Following a 30-day comment period, the OIS will weigh the comments it received from the community and incorporate any "good" comments into a final draft of the reporting procedures, which will be unveiled in July at the Black Hat USA 2003 trade symposium in Las Vegas, Blake said.

While the group has no ability to enforce its policies on other security researchers, the level of experience of the OIS representatives and the effort put into creating the document should give weight to the group's recommendations, Blake said.

The group is hoping that market forces play a role, as well, with the OIS standards becoming a way to discriminate between different organizations' practices, he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?