Full Disclosure mailing list archives
ISS issues bug disclosure guidelines
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Mon, 2 Dec 2002 20:11:09 -0500
FYI: http://bvlive01.iss.net/issEn/delivery/prdetail.jsp?type=&oid=21567 Internet Security Systems Issues Vulnerability Disclosure Guidelines, Aligns with National Efforts For Responsible Disclosure of Security Holes ATLANTA, Ga. - December 2, 2002 - In its continuing effort to provide customers with the most reliable source of global security intelligence information, Internet Security Systems, Inc. (ISS) (Nasdaq: ISSX) today released its current Vulnerability Disclosure Guidelines. ISS' Vulnerability Disclosure Guidelines outline the process and procedures under which vulnerabilities that are researched and discovered by the ISS X-ForceT are disclosed to software and hardware vendors, customers, and the public. The X-Force is ISS' renowned security intelligence research and development team. "Responsible discovery and disclosure of security vulnerabilities continues to be a topic of great interest. It's under much scrutiny in the public and private sectors, and it should be, if the protection of critical infrastructures around the world is of any concern," said Chris Rouland, director, X-Force, Internet Security Systems. "Security research organizations need to implement standards that reflect the public's need to know vital information about vulnerabilities in a timely manner, but that also give ample consideration to software vendors working to remedy issues in their products, so that the public is not put at risk without a corrective action available. We believe that publishing our current guidelines will help with the dialog and encourage other security research organizations to implement similar procedures." The guidelines align with the efforts of the U.S. government and other organizations to promote responsible disclosure of newly discovered computer network vulnerabilities. The guidelines aim to balance the need of the public to receive timely, critical information on newly discovered vulnerabilities with software vendors' need for sufficient time to correct security issues identified in their products. "Computer users benefit when security researchers and software vendors work together to identify and eliminate security vulnerabilities quickly," said Scott Culp, Manager of the Microsoft Security Response Center. "We applaud ISS for taking a leadership role in this area and developing corporate guidelines that clearly reflect users' best interests." Paul Vixie, Chairman of Internet Software Consortium, Inc., and main author of BIND-8, adds "when a vulnerability is discovered, it's very important to get fixes into the field as quickly as possible. But there's a tight balance between helping vendors and end-users protect their products and systems, as opposed to helping the bad guys learn how to exploit the vulnerabilities. This is especially true in the open source community where the tension between what's public and what's private is particularly high. ISS X-Force's guidelines are exemplary in their respect for both the dangers and requirements of vulnerability disclosure. Others in the field should take note." Internet Security Systems X-Force guidelines contain a four-phase process, which includes the Initial Discovery Phase, Vendor Notification Phase, Customer Notification Phase and Public Disclosure Phase. The process and procedures outlined in the guidelines are the same for all vendors. The ISS X-Force defines a vendor as any company, group or organization that develops and provides software, hardware or firmware applications either for sale or as part of a free distribution. The ISS Vulnerability Disclosure Guidelines are available for public review in their entirety on the Internet Security Systems web site at http://documents.iss.net/literature/vulnerability_guidelines.pdf. These guidelines may change from time to time to reflect current best practices. As a founding member of the Organization for Internet Safety (OIS), Internet Security Systems has worked closely with committee members to ensure the guidelines conform to industry best practices. ISS also sought input on the guidelines from additional public and private organizations in order to develop a document that effectively reflects the efforts and concerns resonating throughout the security industry with regards to responsible disclosure of security vulnerabilities. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ISS issues bug disclosure guidelines Richard M. Smith (Dec 02)
- Re: ISS issues bug disclosure guidelines Georgi Guninski (Dec 03)
- Full disclosure war stories wanted Richard M. Smith (Dec 03)
- Re: ISS issues bug disclosure guidelines SynRak (Dec 04)
- Re: ISS issues bug disclosure guidelines Georgi Guninski (Dec 03)