Group issues framework for vulnerability reports

The Organization for Internet Safety (OIS) is wading more deeply into the murky waters of vulnerability disclosure, releasing a draft document that lays out best practices for reporting and responding to software security vulnerabilities.

The draft document, "Security Vulnerability Reporting and Response Process," was published Wednesday on the OIS Web site. (See:

The document is intended as a reference for software vendors and individuals or organizations involved in reporting security vulnerability information, according to the OIS.

Established in September, 2002, the OIS is made up of representatives from technology vendors and security research consultancies. Members include leading companies such as Microsoft Corp., Oracle Corp., Internet Security Systems Inc. and Network Associates Inc.

The best practices document, it is hoped, will clarify a system that is currently muddied by the conflicting priorities and interests of software vendors and security researchers, according to Scott Blake, vice president of information security at OIS member BindView Corp.

The process outlined by the OIS can serve as a basis for developing security reporting and response policies, the OIS said.

Goals and guidelines for both the finder and responder to security vulnerability information are provided for each step in the vulnerability disclosure process, from initial discovery through final release of the vulnerability information.

On the sensitive issue of vendors responding to information about vulnerabilities in their products, the OIS said that both the vendor and the party that finds a vulnerability should work to establish an appropriate timeframe to respond, taking into account the urgency of the problem and the technical challenge of investigating it.

The OIS draft document supported the customary 30-day grace period following initial discovery of a vulnerability.

However, the document also recommended a second 30-day hold on publication of detailed technical information related to the vulnerability following the release of a patch.

The idea was to give users a head start getting caught up with a vulnerability rather than having to respond to immediate attacks that take advantage of the security hole, Blake said.

The document also makes recommendations on a wide variety of other issues, from the kind of information that researchers should report to vendors to steps vendors should take to streamline vulnerability reporting and keep researchers updated as vulnerabilities are investigated.

Steps for resolving disputes and deadlocks between vendors and security researchers over the existence or severity of vulnerabilities are also provided.

Still, the group steered away from thornier issues.

Questions about the legality of publishing certain types of security vulnerability information stemming from the Digital Millennium Copyright Act were left out of the document, according to Blake.

"We're not lawyers and don't want to provide legal advice," Blake said.

Following a 30-day comment period, the OIS will weigh the comments it received from the community and incorporate any "good" comments into a final draft of the reporting procedures, which will be unveiled in July at the Black Hat USA 2003 trade symposium in Las Vegas, Blake said.

While the group has no ability to enforce its policies on other security researchers, the level of experience of the OIS representatives and the effort put into creating the document should give weight to the group's recommendations, Blake said.

The group is hoping that market forces play a role, as well, with the OIS standards becoming a way to discriminate between different organizations' practices, he said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?