X-Force Changes Vulnerability Disclosure Policy

BitHive writes "ISS has changed their policy for announcing security vulnerabilities. The new guidelines will give vendors thirty days to come up with a fix before disclosure is made, though there are a number of exceptions that can prompt faster disclosure. From the PC World article, these are: "The vendor issues a patch or announcement; an in-depth discussion of the problem occurs on a public mailing list; active exploitation of any form of the vulnerability occurs on the Internet; ISS receives reliable evidence that a vulnerability is in the wild; the media reports the vulnerability; or the vendor is unresponsive.""

Bad idea

[The+Terrorists]

If you want to have your security reporters in cahoots with the corporations that have the holes, go right ahead. This opens the door to massive corruption if insecure firms pay off security reporters. Or, the government could stop a report permanently if it's deemed a security risk. Only the threat of disclosure is the enforcement for fixing these security breaches.

Re: Bad idea

[invi]

Come on?! If ISS does not document a security issue in time, somebody else will ... and therefore ISS' credibility will suffer over time. I'm not sure if I see the danger of corruption here.

Personally, I think 30 days is a good time span for letting software companies fix their code. On the other hand, why wait 30 days until mentioning the vulnerability? ISS could simply announce that there *is* a problem with a given product without going into the details ("buffer overflow in Bind, tracking number #25521, details will be published December 16th 2002"). So, if your business runs a vulnerable piece of software which is not critical to your operation, you can disable the service until a patch is available. If the software is critical, it's up to you to take the risk.

These are NEW guidelines?

[szquirrel]

What were their old ones? In most circumstances 30 days notice to the vendor is the only responsible way to go. Most companies are responsible enough to turn around a fix in that time.

BTW, the ISS press release is here.

Re:These are NEW guidelines?

[LostCluster]

The change is that if either the mainstream media starts spreading (usually inaccurate) info about the problem, or there's already an exploit in the wild, the 30 period goes right out the window as pointless. ISS isn't gonna keep it already a secret if somebody else is already spilling...

Only one new aspect really.

[FreeLinux]

The only new aspect of this is that the Open Source projects will now be treated like the commercial vendors have been. They've always given the commercial guys lots of time but, there have been several occurrances where open source projects were given the shaft.

The first to come to mind was when Apache was given less than a days notice before they disclosed the vulnerability.

Under the new policy Apache will be given the same 30 days that Microsoft has gotten. Fair's fair.

On the facts reported

[Featureless]

It sounds eminently reasonable - the best for all concerned. 30 days is not a long embargo, and their list of exceptions seems to me extremely thorough. This appears to answer criticism that "premature disclosure" is irresponsible (a criticism which I don't give much merit, but others disagree) with an intelligent and nuanced policy.

The message to vendors: we'll cooperate with you, if you act responsibly and respond quickly.

Quickly being the operative word. The tragic thing in the disclosure and response-time debate is the assumption that if the white-hat side discovers a flaw, they're the only ones who've found it... and just because you can't find a paper or an exploit after a bit of looking doesn't mean it's not out there.

Certainly, there is a long history of big vendors (I wont name any names... ah, whatever, Microsoft) who completely ignore (i.e. wont return calls) or yes the helpful hackers to death (i.e. yes, it's on the list, we'll have a new patch _any day now_ - rinse, repeat for 6 months), and then whine when the disclosure becomes public... even as the publicity stings them to finally bestir themselves to release a patch. So I'm very glad to hear of those in the security community making a logical response to it all.

Re:Odd

[Apathy+costs+bills]

Unresponsive usually doesn't mean things like "doesn't answer". Unresponsive means things like:

• "That's not a vulnerability."
• "That vulnerability is purely theoretical"
• "We're not fixing it, and if you release information about it, we'll sue you."
• "What's a vulnerability?"
• "la la la la la la la la la"

In short, any response to the lines of "go ahead, we ain't fixing it".

ISS Paid Off?

[Apathy+costs+bills]

This opens the door to massive corruption if insecure firms pay off security reporters.

Your argument is that this open change in their disclosure policy is a slippery slope to behind-the-scenes cash-for-silence deals. In my mind, the threat of such deals is not influenced whatsoever by the open and stated policy of ISS but rather by their corporate ethics. ISS and other security companies which deal with the government gain vast swaths of revenue due to the fact that they retain their integrity by laying out rules and following them. A single deal of the type that you mention would put the profits of the entire company and all its public shareholders at risk. In short, I believe your hypothesis is unfounded.

I'm skeptical.

Well, these "guidelines" are common sense to every researcher who has a bit of heart for the field of work. I guess their partners were finally able to beat some reason into these ISS people. The recent BIND fiasco proved once and again that these "security researchers" value headlines more than their supposed mission statement. (Yes, I know, we all like to earn a buck, but in every profession you have your moral obligations.) ISS deliberately rushed advisories, and I don't think the issue was due to a lack of guidelines - this policy was a strategic move to get news stories at the expense of the users worldwide. These malicious practices are a disgrace to the security community that has come such a long way, and although ISS are not the only ones, they have probably been the most high-profile commercial predators.

Anyway, we've heard similar promises before from OIS (of which ISS is a founding member) and it never stopped ISS from unethical behavior. But now apparently it bit them in the ass. I am surprised that nobody of their "alliances" denounced ISS for their malpractices earlier; I suspect this has been done behind the curtains, but granted, as long as it's effective, fine with me!

So way to go ISS, but I wouldn't already sing hallelujah - they were always wrong and this is just normal. ;)

DMCA issues vs. vulnerability issues

[mblase]

I'm waiting for the day when someone decides to threaten the software security agencies into silence, claiming "it's a feature, not a bug" and the DMCA gives them the right to silence public discussion about how to exploit the flaw.

Hey, if Wal-Mart can invoke it because people are pre-announcing their sale prices....

Re:When guns are outlawed...

[stratjakt]

>> Moreover, they're giving 30 days for the script kiddies to run amok while we are clueless

The script kiddies are clueless too. Script kiddie != black hat hacker. A script kiddie is someone who downloads the exploit when posted and uses it. The black hats discover the exploit.

The ratio of real 'hackers' to script kiddies is about 1 to a zillion.

So sure, that 1 hacker can still be running amok for 30 days, but the zillion script kiddies are sitting around with their thumbs up their asses.