Bug alert firm sets new guidelines
Published: 03 Dec 2002 09:43 GMT
In a move aimed at quieting critics, network protection company Internet Security Systems posted guidelines on Monday on how it will warn the public of flaws in companies' software.
The company faced loud complaints last April after it released news of a security hole in the popular open-source Web server software Apache, having given the application's developers only a few hours to respond. Two times since then, the company's policy on the timing of advisories has been questioned by its peers.
Chris Rouland, director of ISS's vulnerability research and analysis team, said that he hopes that publicly stating the company's policy and adhering to it will fend off complaints in the future. "We have had perception problems," he said.
While ISS has in the past followed a disclosure policy similar to the one released on Monday, it is introducing a major change: the company will treat developers of open-source software, such as Apache, the same as proprietary developers, such as Microsoft.
"That's where we had some problems before," Rouland said.
The guidelines, posted on ISS' Web site, require ISS to wait 30 days after notifying a software firm of a vulnerability before going public. However, while the company has habitually alerted the National Infrastructure Protection Center -- the FBI's cybersecurity task force -- of any flaw that it finds, the guidelines don't require it to tell third-parties about software bugs that affect security. Normally, security researchers will notify NIPC and Computer Emergency Response Team (CERT) Coordination Center, a clearinghouse for information about vulnerabilities.
"We have found the best way is that the licensor of the software should notify the licensees," Rouland said. "We don't have a complete list (of software providers), so we don't want to leave anyone out."
This issue is mainly one for open-source developers. Linux users, for example, will frequently go to the company that sells a particular Linux distribution, such as Red Hat, for a bug fix rather than to the actual developer, such as the Apache Foundation.
Many companies such as Red Hat are members of CERT and could get advisories through that organisation's alert system. However, ISS doesn't yet have an agreement in place to inform such third-parties.
"Multivendor, open-source security advisories are always challenging, and we are going to look to vendors to notify their downstream providers of their issues," Rouland said.
The policy conforms with a draft set of guidelines recommended by the Organization for Internet Safety, a group formed by Microsoft and several security companies, among them ISS.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
38 out of 93 people found this useful
- Share this article:
