OIS attempts to standardize software bug disclosure

Vendors and watchdog groups are on the horns of a dilemma when it comes to disclosing software security holes. Revealing them allows both exploitation and repair. The Organization for Internet Security has drafted a policy to help.

By Wayne Rash

No doubt you’ve seen the alerts. Researchers tell the news media they've found a major hole in a major piece of Internet software. Everyone panics, the researchers get their 15 minutes of fame, and eventually the fixes arrive.

The continued flood of vulnerabilities and concern about disclosure and response policies have spawned various efforts to develop standards for handling vulnerabilities. One group of industry experts has formed the Organization for Internet Security (OIS), which includes representatives from Microsoft, IBM, Sun, and HP. And recently, a separate group published a draft policy that would require vendors to create patches or other fixes within 30 days of being told about their product’s security problems.

If OIS gets the cooperation it needs, researchers would first contact the group with their findings. OIS experts would evaluate the claims, determine the level of vulnerability, and then ask the product vendor to produce the fix. Of course, OIS doesn't have an enforcement mechanism in place, so there's no guarantee a vendor will do anything.

In one sense, I think the OIS has the germ of a good idea. When people broadcast details of security holes—especially when they include code that demonstrates how to exploit those vulnerabilities—they’re playing into the hands of hackers. On the other hand, you need to know about vulnerabilities as early in the process as you can. The OIS solution puts the vulnerabilities in a kind of black box and potentially prevents early warning.

Let’s also not forget that without some means of holding companies accountable, there’s little assurance that these vulnerabilities will get cleared up in accordance with the OIS or anyone else’s guidelines. In addition, what do you do if there’s no vendor? For example, the Linux OS is vendor free. Who does the fix if a problem is found?

The OIS is a nice start toward vulnerability fixes, but it's not a complete solution. The last thing your enterprise needs is a partial solution held too long and delivered too late. The sad truth is, that's what OIS brings at this point—too little, too late.

Editor's Picks