ISS Goes Public With Vulnerability Disclosure Guidelines

X-Force research team alerts customers of new vulnerabilities one day after notifying the affected vendor.

Internet Security Systems Inc. on Monday released to the public the vulnerability disclosure guidelines that its internal X-Force research team uses in identifying flaws and notifying vendors and the public.

The guidelines are fairly standard and include a provision that is becoming more and more common among security vendors that also do vulnerability research. The clause informs vendors that ISS customers who subscribe to the companys X-Force Threat Analysis Service will be told about any new vulnerabilities one business day after ISS notifies the affected vendor. Customers will also get information on any countermeasures that may be available.

Other security vendors have similar policies, under which their paying customers receive early warning of newly discovered flaws. Many vendors also add a check for the vulnerability to their commercial products before the vulnerabilitys existence is public knowledge.

ISS policy also dictates that it will publicly disclose new vulnerabilities 30 days—or perhaps sooner—after the companys initial contact with the vendor, unless other arrangements have been made. And if there is a discussion of a new vulnerability on a public mailing list, the vendor becomes unresponsive or a news article mentions the flaw, then ISS will accelerate its public notification.

"Security research organizations need to implement standards that reflect the publics need to know vital information about vulnerabilities in a timely manner, but that also give ample consideration to software vendors working to remedy issues in their products so that the public is not put at risk without a corrective action available," said Chris Rouland, director if the X-Force at ISS, based in Atlanta.

ISS is a prominent member of the Organization for Internet Safety, a group of security and software vendors that have banded together to develop a common set of guidelines that can be used for responsible disclosure of vulnerabilities. The group is still working on its guidelines.