Cyber Eye: Error guidelines raise hackles
The Organization for Internet Safety, an alliance of software vendors and security experts, soon will issue a draft standard for reporting software vulnerabilities. Already there are signals that the guideline won't satisfy everyone.
Ideally, a software producer should have a chance to fix or patch a problem before it becomes publicly known. But shouldn't users of the software also be notified so they can protect themselves until the patch is ready? And what if a vendor doesn't respond?
Some hackers contend the only way to ensure that a vendor fixes a hole is to publicize it.
The government has come down on the side of nondisclosure. Presidential cybersecurity adviser Richard Clarke has called public disclosure irresponsible. Notify the vendor, Clarke suggests, and if the vendor doesn't respond, 'Call us.'
OIS, which wants to keep government out of computer security, was formed last year to develop standards for handling the issue. Its code of conduct, at www.oisafety.org, 'prohibits the distribution of vulnerability information to anyone other than the discoverer and the software author.'
Meanwhile Internet Security Systems Inc. of Atlanta, a founding member of OIS, recently released its own guidelines for handling vulnerabilities.
'We've had written guidelines since we started doing advisories,' said Chris Rouland, director of the company's so-called X-Force. 'This is the first time we have published it.'
The company's ground rules require X-Force researchers who discover a vulnerability to notify the vendor, which has 30 days to fix it before a public advisory is issued.
'We cut down the time from 45 days,' Rouland said. 'We came to the conclusion that most vendors have the ability to fix things within 30 days.'
He said the company's guidelines are mostly compliant with the OIS draft, but there are areas of conflict. Subscribers to the company's X-Force Threat Analysis Service receive word of vulnerabilities within 24 hours of vendor notification. The subscribers sign an agreement to keep the information confidential, Rouland said.
OIS does not sanction this. 'We believe it is unethical to intentionally make one person more vulnerable than another,' the group said. 'Prerelease communities distribute the information too broadly for it to be kept secret. Once the word is out to some, the risk of exploit increases dramatically.'
But ISS has a responsibility to its customers, Rouland argued. 'Before we release a vulnerability, we have to make sure our customers are protected,' he said.
Other companies with other products will necessarily have other priorities, all of which complicates the industry's efforts at self-regulation. In spite of government disinclination to get involved, regulation could become inevitable.