Security Bug Disclosure Standard Dead In The Water

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/02/175273.html

By Brian McWilliams, Newsbytes
BURLINGTON, MASSACHUSETTS, U.S.A.,
18 Mar 2002, 2:26 PM CST
 
Proponents of an effort to standardize the handling of computer
security vulnerabilities today aborted the effort after receiving
critical comments from reviewers.

In a message today to members of the Internet Engineering Task Force's
Security Area Advisory Group, the authors announced they were
withdrawing the draft in response to feedback from members who felt
the document was not appropriate for the IETF "since it does not deal
with technical protocols."
 
The proposed standard, laid out in a document called "Responsible
Vulnerability Disclosure Process," was submitted last month to the
IETF, an Internet standards body, by Steve Christey and Chris Wysopal,
security researchers from Mitre Corp. and AtStake, respectively.

The document proposed a set of "best practices" to be used by product
vendors, security researchers and others involved in the disclosure of
computer security flaws.

"There does not appear to be any way to achieve consensus on that
issue, regardless of the merits of the current draft or any future
document that may attempt to describe disclosure recommendations,"  
said Christey in the message today.

Christey and Wysopal were not immediately available for comment.

The announcement of the proposed standard's demise stated that the
authors are "currently identifying other forums that may be more
suitable for discussion of the current document and future revisions.  
If we can't find such a forum, we will create one."

Under the proposed standard, discoverers of security bugs will honor a
30-day grace period after reporting a security flaw to a vendor before
disclosing details of the vulnerability. Vendors in turn are to
acknowledge reports of bugs within seven days, and to set up a special
e-mail address for receiving reports.

The draft follows an October 2001 call for responsible disclosure from
Scott Culp, head of Microsoft's security response center. In a
much-discussed document at the Microsoft site, Culp decried what he
called the state of "information anarchy" surrounding the current
security reporting process.

While many security researchers and vendors already follow the
practices detailed in the proposed IETF standard, others expressed
concerns that codifying a reporting standard could have negative
consequences.

In a posting to the SAAG mailing list last month titled "Thanks, I am
not buying this RFC," Georgi Guninski, a Bulgarian security
consultant, stated that the proposed standard could allow vendors to
label bug finders as "irresponsible while shifting the focus from
their buggyware."

According to an acknowledgments section, the draft document reflected
input from several key security industry figures, including the
leaders of security at Microsoft and Oracle, as well as
representatives from top security consulting firms and the Computer
Emergency Response Team.

The draft IETF vulnerability disclosure document is at
http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.