The goal of all of the structure in OIS plan is to prevent details of new vulnerabilities from being leaked publicly before vendors and customers have a chance to fix them. To that end, the draft specifically prohibits including "proof of concept code or test code that could readily be turned into an exploit, or detailed technical information such as exact data inputs, buffer offsets or shell code strategies." The release of exploit code is a widely criticized practice that infuriates many researchers and virtually all software vendors. Hackers have released exploits for two recent severe vulnerabilitiesa severe weakness in Ciscos IOS software and a buffer overrun in the Remote Procedure Call service in Windowsand such code is often used as the basis for worms.Sitting in on a panel discussion of Eschelbecks research will be Mary Ann Davidson, chief security officer of Oracle; Phil Zimmermann, creator of PGP; Simple Nomad, a senior security analyst at BindView and noted researcher; Richard Thieme, a business consultant; Jeff Moss, CEO of Black Hat Inc.; and JD Glaser, president and CEO of NT Objectives Inc., a security company.
In an afternoon session at Black Hat Wednesday, Gerhard Eschelbeck, CTO at Qualys Inc., will discuss a year-long research project hes been conducting on the nature, lifetime, severity and other defining characteristics of vulnerabilities. Eschelbeck has been collecting data from more than 185,000 systems and has compiled information on about 1.1 million vulnerabilities. He will discuss his newly defined "Law of Vulnerabilities" and will also unveil the creation of a free tool related to the research effort.