A proposed voluntary plan for handling vulnerability disclosures is drawing fire from security researchers and other critics, even as new research shows that such a plan is sorely needed to help protect networks.
The guidelines are the work of the Organization for Internet Safety, a group of security companies and software developers, and define a process for notifying vendors of flaws, disclosing them to the public and dealing with exploit code. The document has been warmly received by many in the security community.
However, independent researchers who do the lions share of the vulnerability research that the guidelines are meant to cover are less thrilled with the plan. Security researchers at the Black Hat Briefings conference here last week criticized the group for failing to include mechanisms to ensure accountability if vendors fail to follow the plan. OIS members said they purposely eliminated such a section because the plan is voluntary and theres no way to police vendors.
"These guidelines dont let us off the hook," said Scott Culp, senior security strategist at Microsoft Corp., one of the founding members of OIS, of Redmond, Wash. "They actually increase the pressure on us. These guidelines give the finders options if we stall and dont do things right."
But some still didnt buy it. "In short, the OIS guidelines will not be adopted by the community at large. It is a process and set of guidelines made by and for the software vendors, with a minimal level of engagement from a select few security companies sharing vested interests," said Thor Larholm, senior security researcher at PivX Solutions LLC, a security consultancy based in Newport Beach, Calif. "The OIS guidelines are not a practical solution to vulnerability disclosure but a political tool that enables the software vendors to point fingers at researchers that do not choose to play by their rules."
Some OIS members conceded the plan isnt perfect and that abuse is possible. "Theres a chance the vendors will not do the right thing," said Chris Wysopal, director of research and development at @Stake Inc., based in Cambridge, Mass.
The "Security Vulnerability Reporting and Response Process" lays out a regimented timeline and set of steps for the interaction between the person who discovers a vulnerability and the vendor or vendors affected by the problem. It addresses how and when to notify the vendor, how the vendor should respond, how long the researcher should wait for a response, and how to resolve disputes.
Meanwhile, new research shows that for vulnerabilities identified as critical, the number of vulnerable systems drops by 50 percent every 30 days, according to data assembled as part of an ongoing research effort by Gerhard Eschelbeck, chief technology officer of Qualys Inc., in Redwood Shores, Calif. This so-called half-life of a vulnerability doubles with each progressively lower degree of severity. In fact, Eschelbeck found that some flaws have a virtually unlimited life span.
Security experts said the research project was important in that it shows some education is still needed regarding the importance of patching, making it all the more critical that vulnerabilities are not disclosed before patches are available.
"[Researchers] have to understand that its not a three-day proposition to do a really good job on a patch," said Mary Ann Davidson, chief security officer at Oracle Corp., also based in Redwood Shores. "Its a fine line. But if these guys work with us responsibly, we can all protect the customers. Some of them just want to tell their friends as soon as they find something."
Some members of OIS showed a little frustration with the criticisms coming from the security researchers about the lack of penalties for vendors that fail to follow the new process.
"The stick of full disclosure has worked, and I think its time that some of the researchers cut them some slack and recognize that," said Scott Blake, vice president of information security at BindView Corp., based in Houston, and one of the founding members of OIS.