[ISN] ISS Goes Public With Vulnerability Disclosure Guidelines

From: InfoSec News (isnat_private)
Date: Tue Dec 03 2002 - 01:35:15 PST

  • Next message: InfoSec News: "[ISN] Security firm warns of new Chernobyl"

    Forwarded from: William Knowles <wkat_private>
    By Dennis Fisher 
    December 2, 2002 
    Internet Security Systems Inc. on Monday released to the public the
    vulnerability disclosure guidelines that its internal X-Force research
    team uses in identifying flaws and notifying vendors and the public.
    The guidelines are fairly standard and include a provision that is
    becoming more and more common among security vendors that also do
    vulnerability research. The clause informs vendors that ISS customers
    who subscribe to the company's X-Force Threat Analysis Service will be
    told about any new vulnerabilities one business day after ISS notifies
    the affected vendor. Customers will also get information on any
    countermeasures that may be available.
    Other security vendors have similar policies, under which their paying
    customers receive early warning of newly discovered flaws. Many
    vendors also add a check for the vulnerability to their commercial
    products before the vulnerability's existence is public knowledge.
    ISS' policy also dictates that it will publicly disclose new
    vulnerabilities 30 days - or perhaps sooner - after the company's
    initial contact with the vendor, unless other arrangements have been
    made. And if there is a discussion of a new vulnerability on a public
    mailing list, the vendor becomes unresponsive or a news article
    mentions the flaw, then ISS will accelerate its public notification.
    "Security research organizations need to implement standards that
    reflect the public's need to know vital information about
    vulnerabilities in a timely manner, but that also give ample
    consideration to software vendors working to remedy issues in their
    products so that the public is not put at risk without a corrective
    action available," said Chris Rouland, director if the X-Force at ISS,
    based in Atlanta.
    ISS is a prominent member of the Organization for Internet Safety, a
    group of security and software vendors that have banded together to
    develop a common set of guidelines that can be used for responsible
    disclosure of vulnerabilities. The group is still working on its
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Dec 03 2002 - 04:26:56 PST