Slashdot Mirror

← Back to Stories (view on slashdot.org)

X-Force Changes Vulnerability Disclosure Policy

Posted by michael on from the sssshhhhh dept.

BitHive writes "ISS has changed their policy for announcing security vulnerabilities. The new guidelines will give vendors thirty days to come up with a fix before disclosure is made, though there are a number of exceptions that can prompt faster disclosure. From the PC World article, these are: "The vendor issues a patch or announcement; an in-depth discussion of the problem occurs on a public mailing list; active exploitation of any form of the vulnerability occurs on the Internet; ISS receives reliable evidence that a vulnerability is in the wild; the media reports the vulnerability; or the vendor is unresponsive.""

6 of 98 comments (clear)

  1. Re:Bad idea by dakers27 · · Score: 2, Interesting

    right on, what if holes get patched slower or not at all because they are "a threat to national security"

  2. Odd by CaseyB · · Score: 3, Interesting
    The new guidelines will give vendors thirty days to come up with a fix before disclosure is made ... [Sooner if] "the vendor is unresponsive."

    So, they give the vendors 30 days to respond -- unless the vendor doesn't respond sooner? Immediately? What's the point of the "30 day" rule if response is required BEFORE then?

    Sounds like a completely arbiratry process to me.

  3. Re:Only one new aspect really. by Apathy+costs+bills · · Score: 2, Interesting

    As with anything ISS says, I recommend waiting for precedent before predicting that they're going to treat anyone fairly. Hopefully you are correct.

    --
    Kill Trolls Dead. Here's
  4. Why this is... by 1155 · · Score: 4, Interesting

    Really good:

    Disclosure for the most part, is a good thing. Even with things such as smb, whereas the samba team found a way to shut down a server remotely with it, aren't disclosed, unless there is a threat of disclosure, in which you need to go ahead and patch your hole or you will be seen as, well, uncaring by those who care.

    This also allows for faster knowledge, i.e., if there is an active mailing list on it, but I am not on that list, then iss will inform me of the problem, this is in the mailing list, or whatever form of communication said project uses.

    The Cons

    As mentioned in comments already, I am assuming, people will be able to blackmail one another in order to keep said hack/hole/easter bunny out of the lime light. A little bit of cash can go a long way sometimes. Be wary of what is, and what isn't, reported.

    Why this is important to you:

    It gives you a more defined description of how things are going to go, and how much salt grain you should take with each hack. You should know that each hack/hole out there has already been out there for a month, and that it could have been out there for a lot longer. Joe blackhat just doesn't give up his tools, unless they are not useful.

    Why this is not important:

    ISS is not the only security site, and it should not be your only site to get updates from, either. Do a google...

  5. DMCA issues vs. vulnerability issues by mblase · · Score: 5, Interesting

    I'm waiting for the day when someone decides to threaten the software security agencies into silence, claiming "it's a feature, not a bug" and the DMCA gives them the right to silence public discussion about how to exploit the flaw.

    Hey, if Wal-Mart can invoke it because people are pre-announcing their sale prices....

  6. open source by WPIDalamar · · Score: 4, Interesting

    Does this include open source projects? Aren't these the guys who released an apache hole a while back without telling them because they weren't a small cohesive group (or something like that?)