Vendors and security firms join forces to thrash out reporting policies

Leading software vendors and security firms have formally launched an organisation to agree new strategies on the reporting of...

Leading software vendors and security firms have formally launched an organisation to agree new strategies on the reporting of software security vulnerabilities.

The aim is to balance the users' right to know whether their software is flawed against the possibility that publicising vulnerabilities may encourage hackers.

The new group, the Organisation for Internet Safety (OIS) will work to develop a system that will set standards for the way security vulnerabilities are disclosed.

Generally, security companies and independent security researchers who discover software bugs inform the vendor of the discovery and allow the company some time to develop a patch for the flaw before releasing the information publicly.

However, this is not always the case, and security vulnerabilities have been declared publicly before the vendor concerned has had a chance to examine the bug, or determine its importance.

"We're trying to give some guidelines for what constitutes professional behaviour," said Scott Blake, chairman of the communications committee for OIS and vice-president of information security for Bindview, one of the group's members.

Other organisations backing the move include, Microsoft, Network Associates, Oracle, Silicon Graphics, Symantec, @stake, Caldera International and Internet Security Systems.

An advisory board of network security managers is being set up to help the OIS understand the needs and concerns of IT departments when reporting security vulnerabilities. Drafts of potential standards will be circulated in early 2003, the organisation said. Each member organisation will have an equal vote in proposed standards, Blake said.

A final set of standards will not appear for some time, however, but there will be opportunities for public comment on the proposals, Blake said.

Read more on Antivirus, firewall and IDS products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.






  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...