X-Force Changes Vulnerability Disclosure Policy

BitHive writes "ISS has changed their policy for announcing security vulnerabilities. The new guidelines will give vendors thirty days to come up with a fix before disclosure is made, though there are a number of exceptions that can prompt faster disclosure. From the PC World article, these are: "The vendor issues a patch or announcement; an in-depth discussion of the problem occurs on a public mailing list; active exploitation of any form of the vulnerability occurs on the Internet; ISS receives reliable evidence that a vulnerability is in the wild; the media reports the vulnerability; or the vendor is unresponsive.""

These are NEW guidelines?

[szquirrel]

What were their old ones? In most circumstances 30 days notice to the vendor is the only responsible way to go. Most companies are responsible enough to turn around a fix in that time.

BTW, the ISS press release is here.

Only one new aspect really.

[FreeLinux]

The only new aspect of this is that the Open Source projects will now be treated like the commercial vendors have been. They've always given the commercial guys lots of time but, there have been several occurrances where open source projects were given the shaft.

The first to come to mind was when Apache was given less than a days notice before they disclosed the vulnerability.

Under the new policy Apache will be given the same 30 days that Microsoft has gotten. Fair's fair.

Re:Only one new aspect really.

The standard method for finding an exploitable problem is to shove data at it till it crashes then examine how it crashes.

Reverse engineer the crash itself and determine if you've corrupted the stack sufficiently to execute arbitrary code, then determine the required junk to send it to cause it to run the code you want.

No source code is required for any of this to work.

Is ISS still relevant?

[Gothmolly]

With an uncertain future, high pricing, and alternatives out there, why do people care what ISS says? Just because "X-Force" sounds cool?

Re:Odd

[Apathy+costs+bills]

Unresponsive usually doesn't mean things like "doesn't answer". Unresponsive means things like:

• "That's not a vulnerability."
• "That vulnerability is purely theoretical"
• "We're not fixing it, and if you release information about it, we'll sue you."
• "What's a vulnerability?"
• "la la la la la la la la la"

In short, any response to the lines of "go ahead, we ain't fixing it".

reminds me of something

[John_Renne]

It almost seems the 30-day limit is a pretty reasonable one both for vendors as for bughunters. Just yesterday in this article the PGP-foundation announced the same period as desirable for releasing exploit-information to the public. coincidence or not?

In any case. The period looks pretty reasonable to me. The firm will have enough time to investigate and release a patch before the scriptkiddies out there will get their hands on exploit code. Now if all bughunters out there would follow this policy...

They needed to

[xrayspx]

ISS has been complained about and complained about from both sides of the Full Disclosure issue. Full disclosure to Bugtraq is great, but when ISS or certain others release without vendor notification/vendor acknowledgment, it's just dangerous and rude.

I'm personally glad that they aren't held up as the norm in the community. Most people seem to follow some variation of Rain Forest Puppys RFPolicy concerning vendor contact and reasonable time tables for releasing to the community when faced with unresponsive/uncaring vendors.

Good for X-Force, good for the community for browbeating X-Force.