[ISN] Security Bug Disclosure Standard Dead In The Water

From: InfoSec News (isnat_private)
Date: Mon Mar 18 2002 - 23:41:17 PST

  • Next message: InfoSec News: "[ISN] NSA certifies vendors to help agencies test security"

    By Brian McWilliams, Newsbytes
    18 Mar 2002, 2:26 PM CST
    Proponents of an effort to standardize the handling of computer
    security vulnerabilities today aborted the effort after receiving
    critical comments from reviewers.
    In a message today to members of the Internet Engineering Task Force's
    Security Area Advisory Group, the authors announced they were
    withdrawing the draft in response to feedback from members who felt
    the document was not appropriate for the IETF "since it does not deal
    with technical protocols."
    The proposed standard, laid out in a document called "Responsible
    Vulnerability Disclosure Process," was submitted last month to the
    IETF, an Internet standards body, by Steve Christey and Chris Wysopal,
    security researchers from Mitre Corp. and AtStake, respectively.
    The document proposed a set of "best practices" to be used by product
    vendors, security researchers and others involved in the disclosure of
    computer security flaws.
    "There does not appear to be any way to achieve consensus on that
    issue, regardless of the merits of the current draft or any future
    document that may attempt to describe disclosure recommendations,"  
    said Christey in the message today.
    Christey and Wysopal were not immediately available for comment.
    The announcement of the proposed standard's demise stated that the
    authors are "currently identifying other forums that may be more
    suitable for discussion of the current document and future revisions.  
    If we can't find such a forum, we will create one."
    Under the proposed standard, discoverers of security bugs will honor a
    30-day grace period after reporting a security flaw to a vendor before
    disclosing details of the vulnerability. Vendors in turn are to
    acknowledge reports of bugs within seven days, and to set up a special
    e-mail address for receiving reports.
    The draft follows an October 2001 call for responsible disclosure from
    Scott Culp, head of Microsoft's security response center. In a
    much-discussed document at the Microsoft site, Culp decried what he
    called the state of "information anarchy" surrounding the current
    security reporting process.
    While many security researchers and vendors already follow the
    practices detailed in the proposed IETF standard, others expressed
    concerns that codifying a reporting standard could have negative
    In a posting to the SAAG mailing list last month titled "Thanks, I am
    not buying this RFC," Georgi Guninski, a Bulgarian security
    consultant, stated that the proposed standard could allow vendors to
    label bug finders as "irresponsible while shifting the focus from
    their buggyware."
    According to an acknowledgments section, the draft document reflected
    input from several key security industry figures, including the
    leaders of security at Microsoft and Oracle, as well as
    representatives from top security consulting firms and the Computer
    Emergency Response Team.
    The draft IETF vulnerability disclosure document is at
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Mar 19 2002 - 02:26:40 PST