Group issues framework for vulnerability reports

The Organization for Internet Safety (OIS) is wading more deeply into the murky waters of vulnerability disclosure, releasing a draft document that lays out best practices for reporting and responding to software security vulnerabilities.

The draft document, Security Vulnerability Reporting and Response Process, was published Wednesday on the OIS Web site.

The document is intended as a reference for software vendors and individuals or organizations involved in reporting security vulnerability information, according to the OIS.

Established in September, 2002, the OIS is made up of representatives from technology vendors and security research consultancies. Members include leading companies such as Microsoft Corp., Oracle Corp., Internet Security Systems Inc. and Network Associates Inc.

The best practices document, it is hoped, will clarify a system that is currently muddied by the conflicting priorities and interests of software vendors and security researchers, according to Scott Blake, vice-president of information security at OIS member BindView Corp.

The process outlined by the OIS can serve as a basis for developing security reporting and response policies, the OIS said.

Goals and guidelines for both the finder and responder to security vulnerability information are provided for each step in the vulnerability disclosure process, from initial discovery through final release of the vulnerability information.

On the sensitive issue of vendors responding to information about vulnerabilities in their products, the OIS said that both the vendor and the party that finds a vulnerability should work to establish an appropriate timeframe to respond, taking into account the urgency of the problem and the technical challenge of investigating it.

The OIS draft document supported the customary 30-day grace period following initial discovery of a vulnerability.

However, the document also recommended a second 30-day hold on publication of detailed technical information related to the vulnerability following the release of a patch.

The idea was to give users a head start getting caught up with a vulnerability rather than having to respond to immediate attacks that take advantage of the security hole, Blake said.

The document also makes recommendations on a wide variety of other issues, from the kind of information that researchers should report to vendors to steps vendors should take to streamline vulnerability reporting and keep researchers updated as vulnerabilities are investigated.

Steps for resolving disputes and deadlocks between vendors and security researchers over the existence or severity of vulnerabilities are also provided.

Still, the group steered away from thornier issues.

Questions about the legality of publishing certain types of security vulnerability information stemming from the Digital Millennium Copyright Act were left out of the document, according to Blake.

“We’re not lawyers and don’t want to provide legal advice,” Blake said.

Following a 30-day comment period, the OIS will weigh the comments it received from the community and incorporate any “good” comments into a final draft of the reporting procedures, which will be unveiled in July at the Black Hat USA 2003 trade symposium in Las Vegas, Blake said.

While the group has no ability to enforce its policies on other security researchers, the level of experience of the OIS representatives and the effort put into creating the document should give weight to the group’s recommendations, Blake said.

The group is hoping that market forces play a role, as well, with the OIS standards becoming a way to discriminate between different organizations’ practices, he said.

For details, visit