Slashdot Mirror


X-Force Changes Vulnerability Disclosure Policy

BitHive writes "ISS has changed their policy for announcing security vulnerabilities. The new guidelines will give vendors thirty days to come up with a fix before disclosure is made, though there are a number of exceptions that can prompt faster disclosure. From the PC World article, these are: "The vendor issues a patch or announcement; an in-depth discussion of the problem occurs on a public mailing list; active exploitation of any form of the vulnerability occurs on the Internet; ISS receives reliable evidence that a vulnerability is in the wild; the media reports the vulnerability; or the vendor is unresponsive.""

1 of 98 comments (clear)

  1. DMCA issues vs. vulnerability issues by mblase · · Score: 5, Interesting

    I'm waiting for the day when someone decides to threaten the software security agencies into silence, claiming "it's a feature, not a bug" and the DMCA gives them the right to silence public discussion about how to exploit the flaw.

    Hey, if Wal-Mart can invoke it because people are pre-announcing their sale prices....