Full Disclosure mailing list archives
Re: ISS issues bug disclosure guidelines
From: Georgi Guninski <guninski () guninski com>
Date: Tue, 03 Dec 2002 12:16:58 +0200
lolPersonally don't care about ISS's guidelines. Of course they can do whatever they wish with their 0days. *My* 0days are another topic. For them I care about applicable laws where I live (and of course as this list shows, there are ways to post quite anonymously).
And this guideline: http://lists.netsys.com/pipermail/full-disclosure/2002-August/000822.html Is much more apealing to me.So after the responsibility rfc got busted, they are fighting at corporate ground, lol?
I am thinking about making entities on my black list (microsoft, securityfocus, mitre, cert) beg for 0days in any form.
The idea is making a license agreement/non-disclosure agreement in the publication/code which makes them not eligible to read/use the intellectual property at all. A lawyer said this approach is legal (of course it is difficult to enforce). In addition encoding like ROT13 may be used to prevent them from reverse engineering the IP (cough cough DMCA) :). There are several precedents of high profile code which forbids including in sf's vuln db.
Has anyone tried something like the above or has advice? Georgi Guninski http://www.guninski.com Richard M. Smith wrote:
FYI: http://bvlive01.iss.net/issEn/delivery/prdetail.jsp?type=&oid=21567 Internet Security Systems Issues Vulnerability Disclosure Guidelines, Aligns with National Efforts For Responsible Disclosure of Security Holes ATLANTA, Ga. - December 2, 2002 - In its continuing effort to provide customers with the most reliable source of global security intelligence information, Internet Security Systems, Inc. (ISS) (Nasdaq: ISSX) today released its current Vulnerability Disclosure Guidelines. ISS' Vulnerability Disclosure Guidelines outline the process and procedures under which vulnerabilities that are researched and discovered by the ISS X-ForceT are disclosed to software and hardware vendors, customers, and the public. The X-Force is ISS' renowned security intelligence research and development team. "Responsible discovery and disclosure of security vulnerabilities continues to be a topic of great interest. It's under much scrutiny in the public and private sectors, and it should be, if the protection of critical infrastructures around the world is of any concern," said Chris Rouland, director, X-Force, Internet Security Systems. "Security research organizations need to implement standards that reflect the public's need to know vital information about vulnerabilities in a timely manner, but that also give ample consideration to software vendors working to remedy issues in their products, so that the public is not put at risk without a corrective action available. We believe that publishing our current guidelines will help with the dialog and encourage other security research organizations to implement similar procedures." The guidelines align with the efforts of the U.S. government and other organizations to promote responsible disclosure of newly discovered computer network vulnerabilities. The guidelines aim to balance the need of the public to receive timely, critical information on newly discovered vulnerabilities with software vendors' need for sufficient time to correct security issues identified in their products. "Computer users benefit when security researchers and software vendors work together to identify and eliminate security vulnerabilities quickly," said Scott Culp, Manager of the Microsoft Security Response Center. "We applaud ISS for taking a leadership role in this area and developing corporate guidelines that clearly reflect users' best interests." Paul Vixie, Chairman of Internet Software Consortium, Inc., and main author of BIND-8, adds "when a vulnerability is discovered, it's very important to get fixes into the field as quickly as possible. But there's a tight balance between helping vendors and end-users protect their products and systems, as opposed to helping the bad guys learn how to exploit the vulnerabilities. This is especially true in the open source community where the tension between what's public and what's private is particularly high. ISS X-Force's guidelines are exemplary in their respect for both the dangers and requirements of vulnerability disclosure. Others in the field should take note." Internet Security Systems X-Force guidelines contain a four-phase process, which includes the Initial Discovery Phase, Vendor Notification Phase, Customer Notification Phase and Public Disclosure Phase. The process and procedures outlined in the guidelines are the same for all vendors. The ISS X-Force defines a vendor as any company, group or organization that develops and provides software, hardware or firmware applications either for sale or as part of a free distribution. The ISS Vulnerability Disclosure Guidelines are available for public review in their entirety on the Internet Security Systems web site at http://documents.iss.net/literature/vulnerability_guidelines.pdf. These guidelines may change from time to time to reflect current best practices. As a founding member of the Organization for Internet Safety (OIS), Internet Security Systems has worked closely with committee members to ensure the guidelines conform to industry best practices. ISS also sought input on the guidelines from additional public and private organizations in order to develop a document that effectively reflects the efforts and concerns resonating throughout the security industry with regards to responsible disclosure of security vulnerabilities. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ISS issues bug disclosure guidelines Richard M. Smith (Dec 02)
- Re: ISS issues bug disclosure guidelines Georgi Guninski (Dec 03)
- Full disclosure war stories wanted Richard M. Smith (Dec 03)
- Re: ISS issues bug disclosure guidelines SynRak (Dec 04)
- Re: ISS issues bug disclosure guidelines Georgi Guninski (Dec 03)