[ISN] Disclosure Guidelines For Bug-Spotters Proposed

From: InfoSec News (isnat_private)
Date: Fri Feb 22 2002 - 00:55:11 PST

  • Next message: InfoSec News: "[ISN] SNMP exploit causes printers to jam"

    By Steven Bonisteel, Newsbytes
    21 Feb 2002, 5:21 PM CST
    A pair of computer security researchers are seeking comments on a
    proposal to bring order to the reporting and fixing of security holes
    in software, a process that frequently takes place in adversarial
    In a document known as an Internet Draft submitted to the Internet
    Engineering Task Force (IETF), Steve Christey of MITRE and Chris
    Wysopal of @stake outline what could become standard procedures for
    both bug hunters and software vendors when dealing with newly
    discovered vulnerabilities.
    The "Responsible Disclosure Process" Internet Draft comes as even
    Internet security sleuths themselves continue to debate how quickly
    they should publish their reports and how detailed they should be.  
    Meanwhile, software giant Microsoft Corp. has been the most vocal
    among vendors who have criticized the bug hunters for reporting
    problems before they are patched.
    Christey's and Wysopal's IETF submission calls on those who report
    vulnerabilities to adhere to a policy of "responsible" disclosure that
    ensures they have made a substantial effort to verify their findings
    and allow vendors to respond to their reports.
    The draft suggests a role for "coordinators" in the security industry
    that can work with both bug reporters and vendors. Such coordinators
    could be fall-back points of contacts for those who find bugs but
    don't have the resources to follow through on testing and
    communicating with vendors.
    The draft also recommends that those who create software adopt uniform
    approaches to receiving bug reports and responding to them. Those
    procedures would include making available clearly defined sections on
    their Web sites for that purpose and adopting a standard naming scheme
    for e-mail mailboxes to which bug reports may be submitted.
    The proposal says vendors would be expected to acknowledge bug reports
    within 7 days and that they should continue to provide regular status
    reports until an issue is resolved.
    "Developers, customers and the security community all have divergent
    perspectives on the impact of vulnerabilities," Christey and Wysopal
    wrote. "Currently, vulnerability release is inconsistent and largely
    driven from the perspective of the party who has the greatest ability
    to control the process.
    "In an effort to create a common framework by which objectives are met
    to the benefit of all parties, this document communicates a formal,
    repeatable process for addressing vulnerability disclosure in a
    responsible manner."
    The full Internet Draft can be found here:  
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Feb 22 2002 - 03:48:03 PST