Home page logo

fulldisclosure logo Full Disclosure mailing list archives

ISS issues bug disclosure guidelines
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Mon, 2 Dec 2002 20:11:09 -0500



Internet Security Systems Issues Vulnerability Disclosure Guidelines,
Aligns with National Efforts For Responsible Disclosure of Security

ATLANTA, Ga. - December 2, 2002 - In its continuing effort to provide
customers with the most reliable source of global security intelligence
information, Internet Security Systems, Inc. (ISS) (Nasdaq: ISSX) today
released its current Vulnerability Disclosure Guidelines. ISS'
Vulnerability Disclosure Guidelines outline the process and procedures
under which vulnerabilities that are researched and discovered by the
ISS X-ForceT are disclosed to software and hardware vendors, customers,
and the public. The X-Force is ISS' renowned security intelligence
research and development team. 

"Responsible discovery and disclosure of security vulnerabilities
continues to be a topic of great interest. It's under much scrutiny in
the public and private sectors, and it should be, if the protection of
critical infrastructures around the world is of any concern," said Chris
Rouland, director, X-Force, Internet Security Systems. "Security
research organizations need to implement standards that reflect the
public's need to know vital information about vulnerabilities in a
timely manner, but that also give ample consideration to software
vendors working to remedy issues in their products, so that the public
is not put at risk without a corrective action available. We believe
that publishing our current guidelines will help with the dialog and
encourage other security research organizations to implement similar

The guidelines align with the efforts of the U.S. government and other
organizations to promote responsible disclosure of newly discovered
computer network vulnerabilities. The guidelines aim to balance the need
of the public to receive timely, critical information on newly
discovered vulnerabilities with software vendors' need for sufficient
time to correct security issues identified in their products. 

"Computer users benefit when security researchers and software vendors
work together to identify and eliminate security vulnerabilities
quickly," said Scott Culp, Manager of the Microsoft Security Response
Center. "We applaud ISS for taking a leadership role in this area and
developing corporate guidelines that clearly reflect users' best

Paul Vixie, Chairman of Internet Software Consortium, Inc., and main
author of BIND-8, adds "when a vulnerability is discovered, it's very
important to get fixes into the field as quickly as possible. But
there's a tight balance between helping vendors and end-users protect
their products and systems, as opposed to helping the bad guys learn how
to exploit the vulnerabilities. This is especially true in the open
source community where the tension between what's public and what's
private is particularly high. ISS X-Force's guidelines are exemplary in
their respect for both the dangers and requirements of vulnerability
disclosure. Others in the field should take note." 

Internet Security Systems X-Force guidelines contain a four-phase
process, which includes the Initial Discovery Phase, Vendor Notification
Phase, Customer Notification Phase and Public Disclosure Phase. The
process and procedures outlined in the guidelines are the same for all
vendors. The ISS X-Force defines a vendor as any company, group or
organization that develops and provides software, hardware or firmware
applications either for sale or as part of a free distribution. The ISS
Vulnerability Disclosure Guidelines are available for public review in
their entirety on the Internet Security Systems web site at
http://documents.iss.net/literature/vulnerability_guidelines.pdf. These
guidelines may change from time to time to reflect current best

As a founding member of the Organization for Internet Safety (OIS),
Internet Security Systems has worked closely with committee members to
ensure the guidelines conform to industry best practices. ISS also
sought input on the guidelines from additional public and private
organizations in order to develop a document that effectively reflects
the efforts and concerns resonating throughout the security industry
with regards to responsible disclosure of security vulnerabilities. 

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]