June 4, 2003 5:30 PM PDT
Group drafts truce in security dispute
- Related Stories
Security clearinghouse under the gunJanuary 29, 2003
Patch slipup raises security questionsNovember 21, 2002
Software security group launchesSeptember 26, 2002
The thin gray lineSeptember 23, 2002
Security-flaw guidelines hit potholeMarch 18, 2002
Microsoft to hackers: Don't publish codeOctober 17, 2001
The draft rules were released Wednesday by the Organization for Internet Safety (OIS), a group composed of software companies and security firms, which have found themselves on opposite sides of the debate.
Scott Culp, senior security strategist for Microsoft, said the document is intended to keep both researchers and software makers honest.
"You have a situation, where--on both sides--the lack of a standardized process presents a chance of confusion and the possibility of problems," he said. "Confusion, when dealing with vulnerabilities, ends up hurting the people we are trying to protect--the users."
The OIS guidelines call on application makers to respond within seven days to a researcher's notification of a vulnerability in their software and to attempt to create a patch for that flaw within 30 days.
On the other side, the proposed rules require researchers to keep details of a flaw secret for at least 30 days after the release of a software patch for it.
The OIS was formed almost two years ago to put pressure on security researchers to publish information about software flaws in a responsible manner.
In the early 1990s, several researchers and hackers revolted against the secrecy that software companies maintained regarding the security of their products by releasing flaw information to the public. Because application makers were generally slow to respond to security problems, such news of a vulnerability would frequently be published before any patch had been issued.
During the past few years, software makers have put a higher priority on security, yet some researchers are still releasing information about flaws without giving the companies adequate time to fix the problems--possibly hurting the software's users.
"You have some researchers who think that if a vendor can't fix things right away, they think they are lazy," said Mary Ann Davidson, chief security officer for database maker Oracle. "They don't always understand that sometimes the fix can take longer than a few days."
Oracle is a member of the OIS, which includes security firms @stake, BindView, Foundstone, Guardent, Internet Security Systems, Network Associates and Symantec as well as software companies Microsoft and SGI.
The draft guidelines were posted to the OIS Web site Wednesday for a monthlong comment period. The rules are expected to be released at the Black Hat Briefings security conference in Las Vegas at the end of July.
Despite the concentration of security companies in the OIS, some researchers don't believe that the draft rules, in having them wait 30 days after a patch is released before publishing a bug alert, make for good security.
"If we don't have details, we are just going on the word of the software vendors and a small group of trusted companies," said Marc Maiffret, chief hacking officer at security firm eEye Digital Security. "That's not good. You are hoping that these few people are doing it right."
Maiffret argues that additional information about a flaw can help system administrators to gauge whether a vulnerability affects their computers and, when a patch is applied, whether the fix works properly.
Oracle's Davidson disagrees. "If you don't put in enough information, then the researchers are critical, not the customers," Davidson said. "My job is not to keep the researchers in business, but to protect the customers."