ISS Goes Public with Disclosure Policy

In the face of public criticisms over its handling of software security
alerts, Atlanta-based Internet Security Systems on
Monday went public with its Vulnerability Disclosure Guidelines, maintaining
subscribers to its X-Force Threat Analysis Service will be warned of new
vulnerabilities one business day after the affected vendor is notified.

The public release of the Disclosure Guidelines comes just weeks after
security experts chided ISS
for releasing information about security flaws in the BIND server and Sun’s
Solaris Font Service without giving the affected vendors enough time to
issue patches or fixes.

In the case of the Solaris flaw, the ISS X-Serve Unit detected the security
hole and released the information before Sun could issue
a comprehensive fix. As it is, only a workaround could be made available to
users of the Solaris Font Service.

But ISS is maintaining that customers who subscribe to its Threat Analysis
Service will get early warnings and information of any counter-measures that
may be available shortly after the software vendor is notified.

The ISS
Guidelines
, which were updated to “clearly define and communicate” the
processes to the vendor community, spell out the procedure used to issue
security advisories once a vulnerability is detected.

The guidelines appear fairly standard and a spokesman for the ISS told
internetnews.com that it does not contain any major changes
from the existing policy. “X-Force’s definition of a vendor or proper vendor
notification has not changed, but this document clearly communicates to the
industry how we define a vendor and proper vendor notification,” the
spokesman said.

ISS also maintained it would publicly warn of new flaws 30 days (or
sooner) after the affected vendor is contacted unless special arrangements
dictate otherwise.

It also retained the right to issue an advisory if reports of a
vulnerability are made available on a public mailing list, in a news article,
or if a vendor is unresponsive to its initial notification. In those cases,
ISS said it would speed up the public release of its alert.


“The guidelines align with the efforts of the U.S. government and other
organizations to promote responsible disclosure of newly discovered computer
network vulnerabilities. The guidelines aim to balance the need of the
public to receive timely, critical information on newly discovered
vulnerabilities with software vendors’ need for sufficient time to correct
security issues identified in their products,” ISS said.

Earlier this year, the government urged “white hat” hackers to
avoid full disclosure of vulnerabilities. Richard Clarke, President Bush’s special
advisor for cyberspace security, said security professionals have an
obligation to be responsible with the disclosure of security
vulnerabilities. They should first report vulnerabilities to the vendor who
makes the software in which the vulnerability is found, and then tell the
government if the vendor doesn’t take action.

Only after a patch for the vulnerability is distributed, Clark told an IT
security audience, should others be notified about the vulnerability. “It’s
irresponsible and sometimes extremely damaging to release information before
the patch is out.

In a statement Monday, Director of ISS X-Force Chris Rouland alluded to the
recent interest in the way discovery and disclosure of security flaws are
handled. “Security research organizations need to implement standards that
reflect the public’s need to know vital information about vulnerabilities in
a timely manner, but that also give ample consideration to software vendors
working to remedy issues in their products, so that the public is not put at
risk without a corrective action available,” Rouland said.

“We believe that publishing our current guidelines will help with the dialog
and encourage other security research organizations to implement similar
procedures,” he added.

News Around the Web