http://www.newsbytes.com/news/02/174683.html By Steven Bonisteel, Newsbytes CAMBRIDGE MASSACHUSETTS, U.S.A., 21 Feb 2002, 5:21 PM CST A pair of computer security researchers are seeking comments on a proposal to bring order to the reporting and fixing of security holes in software, a process that frequently takes place in adversarial arenas. In a document known as an Internet Draft submitted to the Internet Engineering Task Force (IETF), Steve Christey of MITRE and Chris Wysopal of @stake outline what could become standard procedures for both bug hunters and software vendors when dealing with newly discovered vulnerabilities. The "Responsible Disclosure Process" Internet Draft comes as even Internet security sleuths themselves continue to debate how quickly they should publish their reports and how detailed they should be. Meanwhile, software giant Microsoft Corp. has been the most vocal among vendors who have criticized the bug hunters for reporting problems before they are patched. Christey's and Wysopal's IETF submission calls on those who report vulnerabilities to adhere to a policy of "responsible" disclosure that ensures they have made a substantial effort to verify their findings and allow vendors to respond to their reports. The draft suggests a role for "coordinators" in the security industry that can work with both bug reporters and vendors. Such coordinators could be fall-back points of contacts for those who find bugs but don't have the resources to follow through on testing and communicating with vendors. The draft also recommends that those who create software adopt uniform approaches to receiving bug reports and responding to them. Those procedures would include making available clearly defined sections on their Web sites for that purpose and adopting a standard naming scheme for e-mail mailboxes to which bug reports may be submitted. The proposal says vendors would be expected to acknowledge bug reports within 7 days and that they should continue to provide regular status reports until an issue is resolved. "Developers, customers and the security community all have divergent perspectives on the impact of vulnerabilities," Christey and Wysopal wrote. "Currently, vulnerability release is inconsistent and largely driven from the perspective of the party who has the greatest ability to control the process. "In an effort to create a common framework by which objectives are met to the benefit of all parties, this document communicates a formal, repeatable process for addressing vulnerability disclosure in a responsible manner." The full Internet Draft can be found here: http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Feb 22 2002 - 03:48:03 PST