Security Group Solidifying Battle Plans

OIS finalizes plans for responsible reporting of vulnerabilities.

A group of security experts working on a plan for responsible vulnerability disclosure met here earlier this month to set the final details of their organizations structure and discuss the status of their plan. The group, known informally as the Organization for Internet Safety, has been collaborating for nearly a year and said it hopes to announce a permanent name and official structure and goals next month.

"I think weve finally gotten past most of the legal hurdles, so we should be able to announce some things soon," said Scott Blake, vice president for information security at BindView Corp., in Houston, and a member of the group. The group made progress on how it will be structured and what its disclosure plan will include, but there are still a few details to iron out, Blake said. Questions about the way companies intellectual property would be handled have taken some time to work through but seem to be answered at this point, sources said.

The organization formed last fall at Microsoft Corp.s Trusted Computing conference with the goal of developing a comprehensive plan for the disclosure of software vulnerabilities. Founding members include Microsoft, BindView, @Stake Inc., Guardent Inc., Foundstone Inc. and Internet Security Systems Inc. Other companies have since joined, but the group hasnt yet named them.

OIS hopes to produce a document that it will either submit to a standards body for consideration or champion itself. Chris Wysopal, director of research and development at @Stake, in Cambridge, Mass., and Steve Christey, lead information security engineer at The Mitre Corp., in Bedford, Mass., earlier this year submitted a draft plan of their own to the Internet Engineering Task Force. The IETF ultimately decided it wasnt the appropriate body to consider the draft, but many of the elements of the proposal will likely end up in the OIS document.

"I think the Wysopal-Christey draft was a good starting point," said Scott Culp, manager of the Microsoft Security Response Center, in Redmond, Wash. "Clearly, well never have unanimity, but there is a growing consensus. Theres clearly a lot of interest in a standard procedure."

There is a lot of interest in such a procedure in Redmond. Microsoft officials, and Culp in particular, have been vocal in their calls for security researchers to act responsibly and alert vendors and give them a chance to patch any vulnerabilities they find before announcing their discoveries publicly. Microsoft has powerful allies in its camp, including Richard Clarke, chairman of President Bushs Critical Infrastructure Protection Board.

At the Black Hat Briefings security conference here last week, Clarke encouraged hackers and security professionals to continue their research and keep looking for vulnerabilities. But he warned of the problems that can result from prematurely releasing such information to the general public.

"Based on their track record, we need people outside the software companies to find vulnerabilities," Clarke said. "But its irresponsible and extremely dangerous to release that knowledge before a patch is available."