Bug reporting standards proposed

Two computer security researchers have proposed rules to standardize the way security holes in software are reported and fixed.

The pair, Steve Christey, lead information security engineer at Mitre Corp. in Bedford, Mass., and Chris Wysopal, director of research and development at digital security firm @Stake Inc. in Cambridge, Mass., have submitted a draft proposal outlining standards for vulnerability disclosures by software vendors and security researchers to the Internet Engineering Task Force (IETF), the Internet’s main standards-setting body.

The reason standards are needed, Christey said, is to codify the many unwritten rules known only to those in the security community, which governs disclosure of software security flaws. Standards for software vulnerabilities disclosure standards could be understood by the entire software industry, he said.

Christey and Wysopal are asking for comments on their proposal, called the Responsible Vulnerability Disclosure Process.

Currently there is no consensus as to how or when vulnerabilities in software should be disclosed. Vendors and security experts are often at odds over disclosure policies: Vendors say they must be given enough time to fix a problem before it’s disclosed, which alerts hackers to the vulnerability; security researchers, however, want to get the information to users as soon as possible to pressure software makers to come up with a patch.

The proposal by Christey and Wysopal would require those who report vulnerabilities to follow a policy of “responsible disclosure,” to help vendors eliminate vulnerabilites, minimize the risk to users and provide the security community with the tools to identify security flaws and manage the vendor’s response.

The draft proposal requires the security researcher who discovers a vulnerability to report it to the vendor or a reliable third-party coordinator (often a member of the security community). The vendor, in turn, must respond to the notification within seven days, or if the software maker’s receipt message is automatically generated, the company should provide a date – not to exceed 10 days – when it will respond in more detail to the notification.

In addition, the draft also requires that the vendor update the security researcher every seven days and try to resolve the vulnerability within 30 days.

Eric Hemmendinger, an analyst at Aberdeen Group Inc. in Boston, said standards for vulnerability disclosures are necessary because right now “there is a free-for-all.” He said Christey and Wysopal should be lauded for their proposal.

However, he added that he wasn’t sure a standards body was the best place to present the proposal because such bureaucracies often move at the “speed of melting glaciers.”

Christey disagreed, saying the proposed standards needed widespread discussion and adoption and that the IETF already had a process for developing standards documents and putting them up for public review and open commentary.