Feeds

Software firms team to fight bug leaks

Organisation for Internet Safety - very Orwellian

  • alert
  • submit to reddit

Protecting against web application threats using SSL

ComputerWire: IT Industry Intelligence

A loose coalition of software developers and security companies has come together with the aim of preventing vulnerability information being released prematurely,

Kevin Murphy writes

. Yesterday, a body calling itself the Organization for Internet Safety, announced its existence, and said it intends to have draft guidelines published early next year.

Scott Blake, chair of OIS's communications committee, told ComputerWire the guidelines will give security researchers and software developers responsibilities for being discreet and taking warnings seriously respectively. The key proposal is a 30-day waiting period between a patch release and details of the bug being released.

"We want to give the good guys a 30-day head-start on the bad guys," Blake said. "Demo code for [vulnerability] exploits won't be published by anybody without some assertion that it will not be used for unlawful purposes... We don't want researchers putting loaded guns in the hands of script kiddies."

The OIS was the brainchild of Steve Christey of the MITRE Corp and Chris Wysopal of @Stake Corp, who published a best practices document as an Internet Draft with the Internet Engineering Task Force in February. Founding members also include Oracle, Microsoft, Symantec, NAI, Guardent, ISS, SCO Group and BindView.

In recent years, there has been friction between vendors and professional and hobbyist bug-hunters. The periods between notifying a vendor of a bug and releasing the information to the public have been variable, and vendors, notably Microsoft, have been criticized for ignoring warnings or threatening legal action against the discoverer.

"It's been a very long time since anyone has had a legitimate complaint against Microsoft for not responding to a security issue," said Blake, who works for BindView Corp. "More often it's someone who wants to embarrass Microsoft, or other software companies, because they have a bone to pick."

"We'll probably get more traction with the professionals at first," he added. "But we're hoping to set a good example for the rest." The hope is that ultimately anybody, including the hobbyist bug-hunter, releasing vulnerability information without conforming to the guidelines will be frowned upon.

Two weeks ago, US senior presidential advisor Richard Clarke published a document outlining a strategy for securing American interests on the internet. Responding to the fact that most successful attacks are due to unpatched systems, among the proposals was the notion of an industry-led clearinghouse for vulnerability and patch information.

But Blake said there's no chance OIS will become that organization. "We're very specifically going to stay out of that kind of thing," he said. The OIS will merely create and maintain the guidelines and approve new members.

Companies wishing to join need only seek approval from the OIS board. There will be no enforcement of the guidelines, no certification seal to boast, and no membership fees. "We're using the honor system," Blake said.

© ComputerWire

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.