X-Force Changes Vulnerability Disclosure Policy

BitHive writes "ISS has changed their policy for announcing security vulnerabilities. The new guidelines will give vendors thirty days to come up with a fix before disclosure is made, though there are a number of exceptions that can prompt faster disclosure. From the PC World article, these are: "The vendor issues a patch or announcement; an in-depth discussion of the problem occurs on a public mailing list; active exploitation of any form of the vulnerability occurs on the Internet; ISS receives reliable evidence that a vulnerability is in the wild; the media reports the vulnerability; or the vendor is unresponsive.""

Bad idea

[The+Terrorists]

If you want to have your security reporters in cahoots with the corporations that have the holes, go right ahead. This opens the door to massive corruption if insecure firms pay off security reporters. Or, the government could stop a report permanently if it's deemed a security risk. Only the threat of disclosure is the enforcement for fixing these security breaches.

Re: Bad idea

[invi]

Come on?! If ISS does not document a security issue in time, somebody else will ... and therefore ISS' credibility will suffer over time. I'm not sure if I see the danger of corruption here.

Personally, I think 30 days is a good time span for letting software companies fix their code. On the other hand, why wait 30 days until mentioning the vulnerability? ISS could simply announce that there *is* a problem with a given product without going into the details ("buffer overflow in Bind, tracking number #25521, details will be published December 16th 2002"). So, if your business runs a vulnerable piece of software which is not critical to your operation, you can disable the service until a patch is available. If the software is critical, it's up to you to take the risk.

Re: Bad idea

[WPIDalamar]

but then that gets all the badies looking for the hole. It's a lot easier to find something if you know it exists. Without details, the good guys don't know exactly what to do to fix/work around the hole. Espically if the software IS critical.

These are NEW guidelines?

[szquirrel]

What were their old ones? In most circumstances 30 days notice to the vendor is the only responsible way to go. Most companies are responsible enough to turn around a fix in that time.

BTW, the ISS press release is here.

Re:These are NEW guidelines?

[LostCluster]

The change is that if either the mainstream media starts spreading (usually inaccurate) info about the problem, or there's already an exploit in the wild, the 30 period goes right out the window as pointless. ISS isn't gonna keep it already a secret if somebody else is already spilling...

They've Reached a Balance

[oni]

Their criteria sound pretty reasonable to me. They've tried to reach a balance between the rights of sysadmins to know their systems are vulnerable and their responsibility when the tell script kiddies about exploits before they've been fixed.

Only one new aspect really.

[FreeLinux]

The only new aspect of this is that the Open Source projects will now be treated like the commercial vendors have been. They've always given the commercial guys lots of time but, there have been several occurrances where open source projects were given the shaft.

The first to come to mind was when Apache was given less than a days notice before they disclosed the vulnerability.

Under the new policy Apache will be given the same 30 days that Microsoft has gotten. Fair's fair.

Is ISS still relevant?

[Gothmolly]

With an uncertain future, high pricing, and alternatives out there, why do people care what ISS says? Just because "X-Force" sounds cool?

When guns are outlawed...

[HBI]

Did it occur to the powers at ISS that this rule basically just enlarges the window for exploits to be exploited? The real danger zone is the time between the discovery (not necessarily the disclosure!) of the vulnerability, and the point when a certain critical mass of vulnerable boxes are patched.

How many people patch their systems the day the patch is released? Certainly, I do, but does even the majority do so? I doubt it. Moreover, they're giving 30 days for the script kiddies to run amok while we are clueless. They will certainly find out, if there is even an inkling of information about the exploit. IRC is much more effective than ISS anyway.

Nice to know that black hats will always have better information than us. Thanks ISS. Another step backward in the fight to preserve our systems.

Re:When guns are outlawed...

[stratjakt]

>> Moreover, they're giving 30 days for the script kiddies to run amok while we are clueless

The script kiddies are clueless too. Script kiddie != black hat hacker. A script kiddie is someone who downloads the exploit when posted and uses it. The black hats discover the exploit.

The ratio of real 'hackers' to script kiddies is about 1 to a zillion.

So sure, that 1 hacker can still be running amok for 30 days, but the zillion script kiddies are sitting around with their thumbs up their asses.

On the facts reported

[Featureless]

It sounds eminently reasonable - the best for all concerned. 30 days is not a long embargo, and their list of exceptions seems to me extremely thorough. This appears to answer criticism that "premature disclosure" is irresponsible (a criticism which I don't give much merit, but others disagree) with an intelligent and nuanced policy.

The message to vendors: we'll cooperate with you, if you act responsibly and respond quickly.

Quickly being the operative word. The tragic thing in the disclosure and response-time debate is the assumption that if the white-hat side discovers a flaw, they're the only ones who've found it... and just because you can't find a paper or an exploit after a bit of looking doesn't mean it's not out there.

Certainly, there is a long history of big vendors (I wont name any names... ah, whatever, Microsoft) who completely ignore (i.e. wont return calls) or yes the helpful hackers to death (i.e. yes, it's on the list, we'll have a new patch _any day now_ - rinse, repeat for 6 months), and then whine when the disclosure becomes public... even as the publicity stings them to finally bestir themselves to release a patch. So I'm very glad to hear of those in the security community making a logical response to it all.

Re:Odd

[Apathy+costs+bills]

Unresponsive usually doesn't mean things like "doesn't answer". Unresponsive means things like:

• "That's not a vulnerability."
• "That vulnerability is purely theoretical"
• "We're not fixing it, and if you release information about it, we'll sue you."
• "What's a vulnerability?"
• "la la la la la la la la la"

In short, any response to the lines of "go ahead, we ain't fixing it".

Why this is...

[1155]

Really good:

Disclosure for the most part, is a good thing. Even with things such as smb, whereas the samba team found a way to shut down a server remotely with it, aren't disclosed, unless there is a threat of disclosure, in which you need to go ahead and patch your hole or you will be seen as, well, uncaring by those who care.

This also allows for faster knowledge, i.e., if there is an active mailing list on it, but I am not on that list, then iss will inform me of the problem, this is in the mailing list, or whatever form of communication said project uses.

The Cons

As mentioned in comments already, I am assuming, people will be able to blackmail one another in order to keep said hack/hole/easter bunny out of the lime light. A little bit of cash can go a long way sometimes. Be wary of what is, and what isn't, reported.

Why this is important to you:

It gives you a more defined description of how things are going to go, and how much salt grain you should take with each hack. You should know that each hack/hole out there has already been out there for a month, and that it could have been out there for a lot longer. Joe blackhat just doesn't give up his tools, unless they are not useful.

Why this is not important:

ISS is not the only security site, and it should not be your only site to get updates from, either. Do a google...

ISS Paid Off?

[Apathy+costs+bills]

This opens the door to massive corruption if insecure firms pay off security reporters.

Your argument is that this open change in their disclosure policy is a slippery slope to behind-the-scenes cash-for-silence deals. In my mind, the threat of such deals is not influenced whatsoever by the open and stated policy of ISS but rather by their corporate ethics. ISS and other security companies which deal with the government gain vast swaths of revenue due to the fact that they retain their integrity by laying out rules and following them. A single deal of the type that you mention would put the profits of the entire company and all its public shareholders at risk. In short, I believe your hypothesis is unfounded.

I'm skeptical.

Well, these "guidelines" are common sense to every researcher who has a bit of heart for the field of work. I guess their partners were finally able to beat some reason into these ISS people. The recent BIND fiasco proved once and again that these "security researchers" value headlines more than their supposed mission statement. (Yes, I know, we all like to earn a buck, but in every profession you have your moral obligations.) ISS deliberately rushed advisories, and I don't think the issue was due to a lack of guidelines - this policy was a strategic move to get news stories at the expense of the users worldwide. These malicious practices are a disgrace to the security community that has come such a long way, and although ISS are not the only ones, they have probably been the most high-profile commercial predators.

Anyway, we've heard similar promises before from OIS (of which ISS is a founding member) and it never stopped ISS from unethical behavior. But now apparently it bit them in the ass. I am surprised that nobody of their "alliances" denounced ISS for their malpractices earlier; I suspect this has been done behind the curtains, but granted, as long as it's effective, fine with me!

So way to go ISS, but I wouldn't already sing hallelujah - they were always wrong and this is just normal. ;)

DMCA issues vs. vulnerability issues

[mblase]

I'm waiting for the day when someone decides to threaten the software security agencies into silence, claiming "it's a feature, not a bug" and the DMCA gives them the right to silence public discussion about how to exploit the flaw.

Hey, if Wal-Mart can invoke it because people are pre-announcing their sale prices....

open source

[WPIDalamar]

Does this include open source projects? Aren't these the guys who released an apache hole a while back without telling them because they weren't a small cohesive group (or something like that?)

They needed to

[xrayspx]

ISS has been complained about and complained about from both sides of the Full Disclosure issue. Full disclosure to Bugtraq is great, but when ISS or certain others release without vendor notification/vendor acknowledgment, it's just dangerous and rude.

I'm personally glad that they aren't held up as the norm in the community. Most people seem to follow some variation of Rain Forest Puppys RFPolicy concerning vendor contact and reasonable time tables for releasing to the community when faced with unresponsive/uncaring vendors.

Good for X-Force, good for the community for browbeating X-Force.