ZDNet UK / News and Analysis / Application Development

Group to set bug-reporting standards

By Staff, GameSpot Europe, 22 February, 2002 11:56

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Flaw, Software, Microsoft, Internet, Guidelines, Reporting, organisation for internet safety, Bug, CERT

NEWS
Microsoft and other software makers met with several computer-security companies Thursday to hash out the last details of a group that will set guidelines for reporting software flaws that affect Internet security. Currently named the Organization for Internet Safety, the group is still in flux, with members and rules not yet finalised, said sources knowledgeable with the discussions. The talks took place in San Jose, at the RSA Conference 2002. Stuart McClure, OIS member and president and chief technology officer of digital-security company Foundstone, wouldn't give details about the meeting but confirmed that no form has been settled on for the organisation. He did say that such a group is sorely needed by the security industry. "There is no unified procedure, policy or expectation for software companies today regarding vulnerability disclosure," McClure said. "This will help clarify." The group springs from discussions between Microsoft and a handful of security companies on the responsible reporting of software bugs, known as vulnerabilities, that affect a business' security. Those discussions resulted in an announcement in November at Microsoft's Trusted Computing conference that a new group would be forming. The initial group consisted of Microsoft and security companies Foundstone, @Stake, Guardent, BindView and Internet Security Systems. It's unknown what other companies are taking part in the current discussions. Microsoft chairman Bill Gates last month sent an email to his employees urging them to make the giant's software more trusted by focusing on improving security and privacy. While many have doubts about whether the company can pull it off, the move puts security first in an industry where it has almost always taken a backseat to features. Delaying the disclosure of vulnerabilities and urging legitimate researchers to allow software makers time to fix software problems before they're made public could play a large role in limiting the effect of newly discovered vulnerabilities in Microsoft's products. Earlier this week, two security researchers released a draft proposal outlining what would be considered a responsible report of a security bug. Known as a request for comment, or RFC, the draft guidelines aim to help companies eliminate vulnerabilities, help customers minimise the risk from security flaws, and provide tools for identifying security holes and managing a company's response. "We are concerned about vulnerability reporting standards, and we have been talking with others in the industry and working to come up with best practices about what you can do so you don't learn the hard way," said Chris Wysopal, director of research and development for digital-security company @Stake, and one of the RFC's two authors. The debate about vulnerability-disclosure policies involves two main parties. Researchers at security companies say they want to get their latest findings out quickly to hasten software makers' response to bugs. Software makers, on the other hand, say they aren't given enough time to deal with a problem, and that publicising it simply alerts malicious hackers to an opportunity. And some software makers would like to avoid any publicity whatsoever about holes in their programs -- for obvious reasons. For security researchers, too, there's a publicity angle: Catching a software maker flat-footed can mean plenty of media coverage. Earlier in February, security company Cigital touched off a responsible-disclosure debate when it informed The Wall Street Journal of the limitations of a security feature in Microsoft's latest tools for creating Windows and .Net applications. The company gave Microsoft less than 12 hours to respond and made the information public on the same day the tools launched. While some cried foul, others defended the company's actions. Little wonder, then, that software companies are looking for a measure of what is responsible disclosure and what is not. The draft RFC requires security researchers who find software flaws to report them to the application's maker, or, if they are unable to reach the company, to report them to a reliable third-party coordinator, such as the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University. Once notified, the software maker must respond to the report within seven days, or if an automated response is provided, the software maker must specify when a more detailed response will be made -- and that response must be made within 10 days. In addition, the draft proposal requires that the software maker update the researcher on the status of the problem every seven days and try to resolve the problem within 30 days of being notified. The RFC doesn't hold software makers to any set deadline to fix the problem. As long as the company is acting in good faith, the proposal says, the researcher should not make the information public. The draft also proposes that every software company have an email address specifically set aside for security alerts and reports from security experts on software flaws. The address being suggested is "secalert@companyname.com." If it bears fruit, the effort will let "new and existing companies have accepted and agreed-upon guidelines for fixing vulnerabilities," said Foundstone's McClure. The Organization for Internet Safety is expected to announce its final structure and name within two months, a source said.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section. Have your say instantly, and see what others have said. Go to the Security forum. Let the editors know what you think in the Mailroom.

Related stories

Did MS bug alarm go off too early?

MS group to oversee hack reports

Spat over MS 'flaw' gets heated

Perens: Linux could learn from Apple

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

GHar123

I totally dislike pirating of works, I fear that artists will be deterred from creating works if they think that they are going to get ripped off....

1 hour ago by GHar123 on ACTA stumbles in Germany
JCB33

How dare film makers, artists or anybody that invests in creativity stop us pirating their works for free. I want to be able to walk into my local...

7 hours ago by JCB33 on ACTA stumbles in Germany
Moley

@GrueMaster. I prefer horses for courses rather than one size fits all. I, and I suspect most other computer users, do not really wish to have...

9 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
greycynic

The product that scares me every time I have to use it is the Office 2007 version of Excel. The first bug that I found was applying the median...

9 hours ago by greycynic on Ten flawed products that derail productivity
GrueMaster

Nice review and very informative. One thing I'd like to add (in reply to whs001's 1st question), the main reason to have the same interface from...

11 hours ago by GrueMaster on A tale of two distros: Ubuntu and Linux Mint
Frederick Wrigley

I'be been using Mint 12 since the RC came out, and I am far more happy with the Cinnamon, the Mate, and, yes (with extensions), theGnome 3...

11 hours ago by Frederick Wrigley via Facebook on A tale of two distros: Ubuntu and Linux Mint
bdantas

Excellent article. One small correction, though--although a fresh installation of Linux Mint 12 will, indeed, provide the user with a version of...

12 hours ago by bdantas on A tale of two distros: Ubuntu and Linux Mint
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

12 hours ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

13 hours ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Moley

For Gnome 2 die-hards, it is possible to add icons to the bottom panel (or top top panel, if you prefer) which provide the exact Gnome 2...

13 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
ramwellian

Your comments would seem pretty naive and immature. Your 'solution' appears to be, "gee, let's all just give in to the hackers and give them...

14 hours ago by ramwellian on Cloud computing security: no more oxymoron?
BugStalker

"Interesting thought ... If you installed Win7 as a dual boot on a machine that previously only had Linux, and it wrecked your Linux installation,...

14 hours ago by BugStalker on Windows 7 Declares War on GRUB
whs001

This is an excellent summary of Ubuntu and Mint and the interface differences between them. Most such articles take a very partisan position for...

14 hours ago by whs001 on A tale of two distros: Ubuntu and Linux Mint
Moley

@ewallace. Not so clear. Anyone can obtain the text, for example from here http://www.ustr.gov/webfm_send/2379. I support ACTA so long as it and...

14 hours ago by Moley on ACTA: Facts, misconceptions and questions
45283

I think WinRT is fantastic. I just wish it was an option for people that didn't want to go through Microsoft's App Store with its attendant...

17 hours ago by 45283 on Why Windows 8 needs architectural hygiene for WOA
Burn-IT

Nine people? £30m? Who's back pocket is that lot going in? And IF they say it is for new buildings, what about all the ones the government has...

18 hours ago by Burn-IT on Police set to launch three £30m e-crime hubs
ewallace

Just to be clear, nobody knows what is in the text of ACTA, here is a photograph of the text of ACTA http://twitpic.com/8h9iju as submitted to the...

19 hours ago by ewallace on ACTA: Facts, misconceptions and questions
fgvrg56

Unfortunately main issue is that ASUS is refusing to accept that they make some mistake on this version of asus Transformer prime. 1 - GPS sensor...

20 hours ago by fgvrg56 on Asus Eee Pad Transformer Prime Wi-Fi & GPS problems?
Ben Woods

@Marcus A fair question. Just talked with Archos which said it was working on an announcement for next week....

21 hours ago by Ben Woods on Archos confirms G9 Ice Cream Sandwich update schedule
Marcus Karlsson

Any update on this, considering the claimed "first week of February"?

22 hours ago by Marcus Karlsson via Facebook on Archos confirms G9 Ice Cream Sandwich update schedule

Latest in Application Development

Perens: Linux could learn from Apple

Featured white papers

10 safety tips for business in 2012

Symantec.cloud

10 safety tips for business in 2012

From cloud computing to remote working, your business should consider these ways to keep your business secure as traditional IT... Read more

Deliver easy email search, storage and retrieval systems

Symantec.cloud

Deliver easy email search, storage and retrieval systems

Are you storing up trouble? There is a better way to manage corporate email storage on every level, for every size and type of... Read more

Defining your data demands in simple steps

Symantec.cloud

Defining your data demands in simple steps

Data growth provides vital resources for your business, and you can manage its enormity through some simple... Read more

Inside ZDNet UK

A tale of two distros: Ubuntu and Linux Mint

A tale of two distros: Ubuntu and Linux Mint

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

BlackBerry Bold 9790

BlackBerry Bold 9790

Case study: How cloud enables growth

Case study: How cloud enables growth

Ten factors that make Ubuntu 11.10 a hit

Ten factors that make Ubuntu 11.10 a hit

Toshiba Portégé Z830-10P Review

Toshiba Portégé Z830-10P Review

BT's archive: Pictures from the vault

BT's archive: Pictures from the vault