Software security group launches

The Organization for Internet Safety formally announces its formation, but can it overcome the security community's schizophrenia over how to best deal with security flaws?

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Eleven software makers and security firms announced on Thursday the formation of a group that intends to set down rules regarding how the security community should responsibly release information on software flaws.

The members of the group, which first discussed the issues nearly a year ago, hope to bridge the gap between security firms and independent consultants who release information about flaws to grab media attention and the software companies that frequently find themselves with egg on their face over the holes in their applications.

"Today, there are no agreed-upon processes for handling security vulnerabilities," the group said in a statement on its Web site. "The lack of any consensus procedures complicates the process of fixing vulnerabilities, and ultimately increases the risk that all computer users face."

The group stressed that any guidelines that it creates will be just that; no enforcement mechanism will be advocated.

Earlier this year, members of the nascent group supported an official set of draft disclosure guidelines that were submitted to the Internet's technical body, the Internet Engineering Task Force, only to be turned down as being outside the IETF's purview.

The draft guidelines were intended to make peace between the two sides of the security debate: the software companies that want to quietly fix their flawed applications without suffering embarrassment and the security researcher who would rather trumpet the slipups for their own aggrandizement.

The proposed rules suggested that companies respond to security researchers within a week of being notified of a potential flaw and that researchers give software companies at least 30 days to fix the flaw before making information about it public.

That it took a year to organize the group speaks to the difficulty in getting the two sides of the vulnerability equation to see eye to eye.

An incident in June caused a great deal of tension as well. Security firm Internet Security Systems, a member of the OIS, released information about a flaw in the most popular Web server on the Internet, Apache, after only giving a few hours notice to the software's developer group. While the OIS's own guidelines calls for a 30-day period, ISS claimed that the vulnerability was already being used by hackers in the underground and thus needed to be released.

Even so, employees of the group's other members criticized the premature disclosure.

Causing further trouble, according to an employee of another group member who asked not to be identified, is the group's 20-page legal membership agreement.

However, despite the issues, the focus on responsible vulnerability handling in the Bush administration's National Strategy to Secure Cyberspace can only help an initiative such as the OIS.

Members of the group are security companies @Stake, BindView, Foundstone, Guardent, ISS, NAI, and Symantec as well as software makers Caldera International, Microsoft, Oracle and SGI.