http://www.newsbytes.com/news/02/175273.html By Brian McWilliams, Newsbytes BURLINGTON, MASSACHUSETTS, U.S.A., 18 Mar 2002, 2:26 PM CST Proponents of an effort to standardize the handling of computer security vulnerabilities today aborted the effort after receiving critical comments from reviewers. In a message today to members of the Internet Engineering Task Force's Security Area Advisory Group, the authors announced they were withdrawing the draft in response to feedback from members who felt the document was not appropriate for the IETF "since it does not deal with technical protocols." The proposed standard, laid out in a document called "Responsible Vulnerability Disclosure Process," was submitted last month to the IETF, an Internet standards body, by Steve Christey and Chris Wysopal, security researchers from Mitre Corp. and AtStake, respectively. The document proposed a set of "best practices" to be used by product vendors, security researchers and others involved in the disclosure of computer security flaws. "There does not appear to be any way to achieve consensus on that issue, regardless of the merits of the current draft or any future document that may attempt to describe disclosure recommendations," said Christey in the message today. Christey and Wysopal were not immediately available for comment. The announcement of the proposed standard's demise stated that the authors are "currently identifying other forums that may be more suitable for discussion of the current document and future revisions. If we can't find such a forum, we will create one." Under the proposed standard, discoverers of security bugs will honor a 30-day grace period after reporting a security flaw to a vendor before disclosing details of the vulnerability. Vendors in turn are to acknowledge reports of bugs within seven days, and to set up a special e-mail address for receiving reports. The draft follows an October 2001 call for responsible disclosure from Scott Culp, head of Microsoft's security response center. In a much-discussed document at the Microsoft site, Culp decried what he called the state of "information anarchy" surrounding the current security reporting process. While many security researchers and vendors already follow the practices detailed in the proposed IETF standard, others expressed concerns that codifying a reporting standard could have negative consequences. In a posting to the SAAG mailing list last month titled "Thanks, I am not buying this RFC," Georgi Guninski, a Bulgarian security consultant, stated that the proposed standard could allow vendors to label bug finders as "irresponsible while shifting the focus from their buggyware." According to an acknowledgments section, the draft document reflected input from several key security industry figures, including the leaders of security at Microsoft and Oracle, as well as representatives from top security consulting firms and the Computer Emergency Response Team. The draft IETF vulnerability disclosure document is at http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Mar 19 2002 - 02:26:40 PST