X-Force Changes Vulnerability Disclosure Policy

BitHive writes "ISS has changed their policy for announcing security vulnerabilities. The new guidelines will give vendors thirty days to come up with a fix before disclosure is made, though there are a number of exceptions that can prompt faster disclosure. From the PC World article, these are: "The vendor issues a patch or announcement; an in-depth discussion of the problem occurs on a public mailing list; active exploitation of any form of the vulnerability occurs on the Internet; ISS receives reliable evidence that a vulnerability is in the wild; the media reports the vulnerability; or the vendor is unresponsive.""

These are NEW guidelines?

[szquirrel]

What were their old ones? In most circumstances 30 days notice to the vendor is the only responsible way to go. Most companies are responsible enough to turn around a fix in that time.

BTW, the ISS press release is here.

Only one new aspect really.

[FreeLinux]

The only new aspect of this is that the Open Source projects will now be treated like the commercial vendors have been. They've always given the commercial guys lots of time but, there have been several occurrances where open source projects were given the shaft.

The first to come to mind was when Apache was given less than a days notice before they disclosed the vulnerability.

Under the new policy Apache will be given the same 30 days that Microsoft has gotten. Fair's fair.

Re:Odd

[Apathy+costs+bills]

Unresponsive usually doesn't mean things like "doesn't answer". Unresponsive means things like:

• "That's not a vulnerability."
• "That vulnerability is purely theoretical"
• "We're not fixing it, and if you release information about it, we'll sue you."
• "What's a vulnerability?"
• "la la la la la la la la la"

In short, any response to the lines of "go ahead, we ain't fixing it".