Bug alert firm sets new guidelines

NEWS

In a move aimed at quieting critics, network protection company Internet Security Systems posted guidelines on Monday on how it will warn the public of flaws in companies' software. The company faced loud complaints last April after it released news of a security hole in the popular open-source Web server software Apache, having given the application's developers only a few hours to respond. Two times since then, the company's policy on the timing of advisories has been questioned by its peers. Chris Rouland, director of ISS's vulnerability research and analysis team, said that he hopes that publicly stating the company's policy and adhering to it will fend off complaints in the future. "We have had perception problems," he said. While ISS has in the past followed a disclosure policy similar to the one released on Monday, it is introducing a major change: the company will treat developers of open-source software, such as Apache, the same as proprietary developers, such as Microsoft. "That's where we had some problems before," Rouland said. The guidelines, posted on ISS' Web site, require ISS to wait 30 days after notifying a software firm of a vulnerability before going public. However, while the company has habitually alerted the National Infrastructure Protection Center -- the FBI's cybersecurity task force -- of any flaw that it finds, the guidelines don't require it to tell third-parties about software bugs that affect security. Normally, security researchers will notify NIPC and Computer Emergency Response Team (CERT) Coordination Center, a clearinghouse for information about vulnerabilities. "We have found the best way is that the licensor of the software should notify the licensees," Rouland said. "We don't have a complete list (of software providers), so we don't want to leave anyone out." This issue is mainly one for open-source developers. Linux users, for example, will frequently go to the company that sells a particular Linux distribution, such as Red Hat, for a bug fix rather than to the actual developer, such as the Apache Foundation. Many companies such as Red Hat are members of CERT and could get advisories through that organisation's alert system. However, ISS doesn't yet have an agreement in place to inform such third-parties. "Multivendor, open-source security advisories are always challenging, and we are going to look to vendors to notify their downstream providers of their issues," Rouland said. The policy conforms with a draft set of guidelines recommended by the Organization for Internet Safety, a group formed by Microsoft and several security companies, among them ISS.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section. Have your say instantly, and see what others have said. Go to the Security forum. Let the editors know what you think in the Mailroom.

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

ZDNet UK Live

@ewallace. Not so clear. Anyone can obtain the text, for example from here http://www.ustr.gov/webfm_send/2379. I support ACTA so long as it and...

1 minute ago by Moley on ACTA: Facts, misconceptions and questions

I think WinRT is fantastic. I just wish it was an option for people that didn't want to go through Microsoft's App Store with its attendant...

3 hours ago by 45283 on Why Windows 8 needs architectural hygiene for WOA

Nine people? £30m? Who's back pocket is that lot going in? And IF they say it is for new buildings, what about all the ones the government has...

4 hours ago by Burn-IT on Police set to launch three £30m e-crime hubs

Just to be clear, nobody knows what is in the text of ACTA, here is a photograph of the text of ACTA http://twitpic.com/8h9iju as submitted to the...

4 hours ago by ewallace on ACTA: Facts, misconceptions and questions

Unfortunately main issue is that ASUS is refusing to accept that they make some mistake on this version of asus Transformer prime. 1 - GPS sensor...

6 hours ago by fgvrg56 on Asus Eee Pad Transformer Prime Wi-Fi & GPS problems?

@Marcus A fair question. Just talked with Archos which said it was working on an announcement for next week....

7 hours ago by Ben Woods on Archos confirms G9 Ice Cream Sandwich update schedule

Any update on this, considering the claimed "first week of February"?

8 hours ago by Marcus Karlsson via Facebook on Archos confirms G9 Ice Cream Sandwich update schedule

Bill Goodrich : Just as al_langevin pointed out, with Windows Server 2008 there is no Services for Macintosh anymore. It's gone, not available....

16 hours ago by apexwm on Windows Server 2008 drops the ball for Mac compatibility

Replying to an old topic that I'm currently facing with my CEO (who is on a Mac). Our servers are primarily Windows Servers, office is about...

22 hours ago by txtrainguy on Windows Server 2008 drops the ball for Mac compatibility

Sure, that makes perfect sense. Pay wrong-doers money and thank them for breaching your security and pointing out your flaws, that would surely...

23 hours ago by k0tcs3 on US indicts Romanian over NASA climate change hack

I think he's referring specifically to Android apps, as Apple do regulate their App Store, but Google seem to let any old crap onto the Android store!

23 hours ago by Random_Error on RIM: BlackBerry will keep 'garbage' apps out of store