Group Releases Anti-Disclosure Plan

dki writes "SecurityFocus reports that the Organization for Internet Safety (OIS), a group of 11 of the largest software and security companies, has released a public draft of a proposed bug disclosure standard. The document outlines a process for reporting and disclosing bugs that aims to eliminate releasing exploits to the general public. Not surprisingly, the OIS was founded out of a Microsoft-hosted security conference. Comments on the draft will be accepted until July 4th; the final copy will be released at the Black Hat Conference in Las Vegas."

Re:7.1 and 8.2 esp. disturbing. Send Feedback!

[CAIMLAS]

This makes me wonder - who can be a wonder of OIS? Just anyone? Only people with pertinent projects? Only companies? What about groups like the Debian maintainers or the core kernel devel team? My impression from the article was that it was company or corporate institution-exclusive.

I say give some time, but not too much

[DarklordSatin]

Personally, I've always thought that a good disclosure policy would be one that informs the software's source of the problem and then waits some period of time befoer disclosing to the public.

Of course, I'd reccomend a very short wait time, probably between 48 hours and one week. Just enough time to solve the problem if enough resources are diverted to it but not long enough to allow anyone to ignore the problem until later.

Are they still not getting it?

[BillsPetMonkey]

This proposal basically calls for the public to act in the same was as an employee would at finding a bug in the software. Perhaps I missed something here but if a bug is sourced in the public domain it should be disclosed there as well.

If they want to put me on the payroll, I'll QA and report their software using this convenient bug ticket they've provided;)

Re: One line summary

[Black+Parrot]

IOW, it's back to the bad old days when Microsoft didn't bother trying to fix exploitable software at all.