Disclosure Guidelines For Bug-Spotters Proposed

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/02/174683.html

By Steven Bonisteel, Newsbytes
CAMBRIDGE MASSACHUSETTS, U.S.A.,
21 Feb 2002, 5:21 PM CST
 
A pair of computer security researchers are seeking comments on a
proposal to bring order to the reporting and fixing of security holes
in software, a process that frequently takes place in adversarial
arenas.

In a document known as an Internet Draft submitted to the Internet
Engineering Task Force (IETF), Steve Christey of MITRE and Chris
Wysopal of @stake outline what could become standard procedures for
both bug hunters and software vendors when dealing with newly
discovered vulnerabilities.
 
The "Responsible Disclosure Process" Internet Draft comes as even
Internet security sleuths themselves continue to debate how quickly
they should publish their reports and how detailed they should be.  
Meanwhile, software giant Microsoft Corp. has been the most vocal
among vendors who have criticized the bug hunters for reporting
problems before they are patched.

Christey's and Wysopal's IETF submission calls on those who report
vulnerabilities to adhere to a policy of "responsible" disclosure that
ensures they have made a substantial effort to verify their findings
and allow vendors to respond to their reports.

The draft suggests a role for "coordinators" in the security industry
that can work with both bug reporters and vendors. Such coordinators
could be fall-back points of contacts for those who find bugs but
don't have the resources to follow through on testing and
communicating with vendors.

The draft also recommends that those who create software adopt uniform
approaches to receiving bug reports and responding to them. Those
procedures would include making available clearly defined sections on
their Web sites for that purpose and adopting a standard naming scheme
for e-mail mailboxes to which bug reports may be submitted.

The proposal says vendors would be expected to acknowledge bug reports
within 7 days and that they should continue to provide regular status
reports until an issue is resolved.

"Developers, customers and the security community all have divergent
perspectives on the impact of vulnerabilities," Christey and Wysopal
wrote. "Currently, vulnerability release is inconsistent and largely
driven from the perspective of the party who has the greatest ability
to control the process.

"In an effort to create a common framework by which objectives are met
to the benefit of all parties, this document communicates a formal,
repeatable process for addressing vulnerability disclosure in a
responsible manner."

The full Internet Draft can be found here:  
http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.