LAS VEGAS—A group of security experts working on a plan for responsible vulnerability disclosure will meet here Friday to try to nail down the final details of their organizations structure and discuss the status of their plan. The group, known informally as the Organization for Internet Safety, has been collaborating for nearly a year and is hoping to announce a permanent name and official structure and goals within the next few weeks.
“I think weve finally gotten past most of the legal hurdles, so we should be able to announce some things soon,” said Scott Blake, vice president for information security at BindView Corp., in Houston, and a member of the group.
The organization formed last fall at Microsoft Corp.s Trusted Computing conference with the goal of developing a comprehensive plan for the disclosure of software vulnerabilities. Founding members include Microsoft, BindView, @stake Inc., Guardent Inc., Foundstone Inc. and Internet Security Systems Inc. Other companies have since joined, but the group hasnt announced who they are.
The OIS hopes to produce a document that it will either submit to a standards body for consideration or champion itself. Chris Wysopal, director of research and development at @stake in Cambridge, Mass., and Steve Christey, lead information security engineer at The Mitre Corp., in Bedford, Mass., earlier this year submitted a draft plan of their own to the Internet Engineering Task Force. The IETF ultimately decided it wasnt the appropriate body to consider the draft, but many of the elements of the proposal will likely end up in the OIS document.
“I think the Wysopal-Christey draft was a good starting point,” said Scott Culp, manager of the Microsoft Security Response Center in Redmond, Wash. “Clearly well never have unanimity, but there is a growing consensus. Theres clearly a lot of interest in a standard procedure.”
Certainly, there is a lot of interest in such a procedure in Redmond. Microsoft officials, and Culp in particular, have been very vocal in their calls for security researchers to act responsibly and alert vendors and give them a chance to patch any vulnerabilities they find before announcing their discoveries to the rest of the world. Microsoft has some powerful allies in its camp, including Richard Clarke, chairman of the Presidents Critical Infrastructure Protection Board.
At the Blackhat Briefings security conference here this week, Clarke encouraged the assembled hackers and security professionals to continue their research and keep looking for vulnerabilities. But in the next breath he warned of the problems that can result from prematurely releasing such information to the general public.
“Based on their track record, we need people outside the software companies to find vulnerabilities,” Clarke said. “But its irresponsible and extremely dangerous to release that knowledge before a patch is available.”
Meanwhile, a second group of security professionals announced Thursday that it is creating a massive database of vulnerabilities in open source software programs. The Open Source Vulnerability Database will be freely available to anyone and is the product of a partnership among several security Web sites and organizations, including VulnWatch.org, which maintains a full-disclosure mailing list, PacketStormSecurity.org and Alldas.org.
Related stories:
- OIS Readies Security Standard Proposal
- Security Proposal Nearly Ready for Inspection
- Security Proposal in Jeopardy