Group wants input on vulnerability reporting guidelines
- By William Jackson
- May 25, 2004
The Organization for Internet Safety is soliciting comments on its guidelines for reporting and responding to software security vulnerabilities.
OIS, a consortium of software vendors, researchers and security consultants, released the guidelines in July 2003, hoping to bring some order to the continual struggle between code makers and code breakers. The second version is expected to be available in mid-July.
OIS hopes to address some issues in the second release that were sidestepped in the first edition, such as what role'if any'the government should play in vulnerability reporting.
That was one of the few issues on which the drafters could not come to any clear consensus last year, said Scott Blake, vice president of information security for BindView Corp. of Houston and chairman of the OIS communications committee.
'We're hoping to get some additional comment on that that would help sway us,' Blake said. 'It is not abundantly clear to us what the right thing to do is.'
The voluntary guidelines, available on the OIS Web site
, are an effort to balance the public's right to know about possible software problems against the need for vendors to correct those problems before they are made public.
They call for:
- cooperation between the discoverer of a flaw and the software vendor
- a waiting period, typically 30 days, to let a vendor correct a problem before it is publicly announced
- a 30-day grace period to let users fix their systems before technical details that could help attackers are released.
The issue of vulnerability reporting has been a contentious one in security circles. Some assert that the only way to ensure that software makers fix problems is to publicly expose them. Others contend that vendors should be given a chance to fix problems before they are publicly announced and hackers have a chance to exploit them.
Government advisers have called early public release of vulnerabilities irresponsible. Government organizations such as the US Computer Emergency Readiness Team have played a role in timing the release of information on a number of serious vulnerabilities.
Another issue OIS hopes to address is how to deal with problems found in open source software, where there is no clear-cut owner.
Blake said OIS accepts comments on the guidelines year-round, but that 'a comment period focuses people's attention on the process.'
Many of the comments received in the past year tend to cancel each other out, Blake said. Some feel the guidelines are too loose, others feel they are too stringent. 'If nobody is completely happy, we probably are about right,' he said.
Comments are being accepted through June 24 at firstname.lastname@example.org
. Details for the comment process are available at www.oisafety.org/review-1.5.html.
William Jackson is a Maryland-based freelance writer.