The future looks increasingly murky for a document that many in the security industry hoped could help bring some order to the chaotic process of disclosing security vulnerabilities.
The document, “Responsible Disclosure Process,” was withdrawn last week from consideration by the Internet Engineering Task Force by its authors, Chris Wysopal, director of research and development at @Stake Inc., in Cambridge, Mass., and Steve Christey, lead information security engineer at The Mitre Corp., in Bedford, Mass.
It is unclear what will happen to the proposal.
The pair submitted the proposal to the IETF, the Internet standards body, last month for consideration for Internet-Draft status, which is the first step in the standards process.
However, the people who oversee the IETFs security section decided it didnt fit with the bodys main mission of developing technical standards for Internet operations.
The proposal is meant to serve as a set of guidelines for security researchers, vendors and others involved in the vulnerability disclosure process. Wysopal and Christey, who are both well-known in the security community, hoped that the document would be an important step along the road toward a uniform disclosure policy.
The document resulted from discussions held at Microsoft Corp.s Trusted Computing conference last November, at which @Stake, Microsoft and several other vendors emphasized the need for a formal disclosure process. Currently, anyone who finds a vulnerability—whether they be a malicious cracker or a legitimate researcher—is free to publicize the problem however he or she sees fit. Under Wysopal and Christeys proposal, organizations that adopt their policy would follow a prescribed series of steps and, in most cases, would publish the vulnerability data only after a fix is available.
Christey said he and Wysopal received many comments on their proposal from people both inside and outside the IETF and that they will try to address the concerns raised in a second draft of the proposal. Much of the criticism centered on the documents definition of responsible disclosure and whether it was too narrow. In addition, some thought that the language allowed vendors to discourage disclosure.
As for the future of the document, Christey said he and Wysopal are still contemplating what their next step will be. “Well look for another forum for it, and if we cant find one, well create one ourselves,” he said, adding that it is too soon to say what that forums structure might be.
