Vendor group plans vulnerability disclosures

A multi-vendor team led by Microsoft Corp. in late July released new guidelines for security vulnerability reporting and response. But critics of the effort faulted it for its lack of non-vendor buy-in.

The voluntary group of 11 security companies and software developers, known collectively as the Organization for Internet Safety (OIS), has been engaged in a year-long effort to standardize the process through which security researchers and software vendors work together on finding, fixing and releasing information about software vulnerabilities to the public.

In the past, software vendors and security researchers have been at loggerheads over the practice of full disclosure, under which vulnerability information is publicly released before vendors have a chance to respond to it.

Key elements of the process include a requirement for vendors to set up an established point of contact for receiving vulnerability information and a provision that vendors should respond within seven days to a vulnerability report.

The process also sets forth a 30-day period to find a fix, during which the vulnerability information won’t be publicly disclosed by the finder, and a 30-day grace period after a fix has been issued before supplemental details such as exploit code can be released by the finder.

But some independent security researchers claimed that the OIS effort is unbalanced.

“The OIS is a specification made by vendors for vendors,” said Thor Larholm, a security researcher at PivX Solutions LLC, a Newport Beach, Calif.-based network security consultancy. “The guidelines provide absolutely no incentive for most security researchers to follow the process. There are simply too many loopholes for any vendor to continue (its) current process of downplaying the severity of vulnerabilities.”

“Hiding information about bugs hurts ordinary users and systems administrators,” said Georgi Guninski, a Bulgarian bug hunter who has discovered numerous flaws in Microsoft products and has previously been criticized by the company for irresponsible disclosure.

“In most cases, when a security bug is announced by a (finder), the same (finder) gives an efficient solution to the problem,” Guninski said, noting the lag time built into the OIS guidelines.

Scott Culp, senior security strategist at Microsoft, said the guidelines won’t relieve any of the pressure that full disclosure imposes on vendors. In fact, he said, the opposite is true, noting that there’s a timetable built into the process and that a company can be held accountable if it fails to respond to a reported vulnerability.

The OIS plans to revisit the guidelines in six months to assess their effectiveness and to incorporate recommendations from the security community.