ISS Goes Public With Vulnerability Disclosure Guidelines

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.eweek.com/article2/0,3959,741332,00.asp

By Dennis Fisher 
December 2, 2002 

Internet Security Systems Inc. on Monday released to the public the
vulnerability disclosure guidelines that its internal X-Force research
team uses in identifying flaws and notifying vendors and the public.

The guidelines are fairly standard and include a provision that is
becoming more and more common among security vendors that also do
vulnerability research. The clause informs vendors that ISS customers
who subscribe to the company's X-Force Threat Analysis Service will be
told about any new vulnerabilities one business day after ISS notifies
the affected vendor. Customers will also get information on any
countermeasures that may be available.

Other security vendors have similar policies, under which their paying
customers receive early warning of newly discovered flaws. Many
vendors also add a check for the vulnerability to their commercial
products before the vulnerability's existence is public knowledge.

ISS' policy also dictates that it will publicly disclose new
vulnerabilities 30 days - or perhaps sooner - after the company's
initial contact with the vendor, unless other arrangements have been
made. And if there is a discussion of a new vulnerability on a public
mailing list, the vendor becomes unresponsive or a news article
mentions the flaw, then ISS will accelerate its public notification.

"Security research organizations need to implement standards that
reflect the public's need to know vital information about
vulnerabilities in a timely manner, but that also give ample
consideration to software vendors working to remedy issues in their
products so that the public is not put at risk without a corrective
action available," said Chris Rouland, director if the X-Force at ISS,
based in Atlanta.

ISS is a prominent member of the Organization for Internet Safety, a
group of security and software vendors that have banded together to
develop a common set of guidelines that can be used for responsible
disclosure of vulnerabilities. The group is still working on its
guidelines.


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.