mailing list archives
Re: ISS issues bug disclosure guidelines
From: Georgi Guninski <guninski () guninski com>
Date: Tue, 03 Dec 2002 12:16:58 +0200
Personally don't care about ISS's guidelines. Of course they can do whatever
they wish with their 0days.
*My* 0days are another topic. For them I care about applicable laws where I live
(and of course as this list shows, there are ways to post quite anonymously).
And this guideline:
Is much more apealing to me.
So after the responsibility rfc got busted, they are fighting at corporate
I am thinking about making entities on my black list (microsoft, securityfocus,
mitre, cert) beg for 0days in any form.
The idea is making a license agreement/non-disclosure agreement in the
publication/code which makes them not eligible to read/use the intellectual
property at all. A lawyer said this approach is legal (of course it is difficult
to enforce). In addition encoding like ROT13 may be used to prevent them from
reverse engineering the IP (cough cough DMCA) :). There are several precedents
of high profile code which forbids including in sf's vuln db.
Has anyone tried something like the above or has advice?
Richard M. Smith wrote:
Internet Security Systems Issues Vulnerability Disclosure Guidelines,
Aligns with National Efforts For Responsible Disclosure of Security
ATLANTA, Ga. - December 2, 2002 - In its continuing effort to provide
customers with the most reliable source of global security intelligence
information, Internet Security Systems, Inc. (ISS) (Nasdaq: ISSX) today
released its current Vulnerability Disclosure Guidelines. ISS'
Vulnerability Disclosure Guidelines outline the process and procedures
under which vulnerabilities that are researched and discovered by the
ISS X-ForceT are disclosed to software and hardware vendors, customers,
and the public. The X-Force is ISS' renowned security intelligence
research and development team.
"Responsible discovery and disclosure of security vulnerabilities
continues to be a topic of great interest. It's under much scrutiny in
the public and private sectors, and it should be, if the protection of
critical infrastructures around the world is of any concern," said Chris
Rouland, director, X-Force, Internet Security Systems. "Security
research organizations need to implement standards that reflect the
public's need to know vital information about vulnerabilities in a
timely manner, but that also give ample consideration to software
vendors working to remedy issues in their products, so that the public
is not put at risk without a corrective action available. We believe
that publishing our current guidelines will help with the dialog and
encourage other security research organizations to implement similar
The guidelines align with the efforts of the U.S. government and other
organizations to promote responsible disclosure of newly discovered
computer network vulnerabilities. The guidelines aim to balance the need
of the public to receive timely, critical information on newly
discovered vulnerabilities with software vendors' need for sufficient
time to correct security issues identified in their products.
"Computer users benefit when security researchers and software vendors
work together to identify and eliminate security vulnerabilities
quickly," said Scott Culp, Manager of the Microsoft Security Response
Center. "We applaud ISS for taking a leadership role in this area and
developing corporate guidelines that clearly reflect users' best
Paul Vixie, Chairman of Internet Software Consortium, Inc., and main
author of BIND-8, adds "when a vulnerability is discovered, it's very
important to get fixes into the field as quickly as possible. But
there's a tight balance between helping vendors and end-users protect
their products and systems, as opposed to helping the bad guys learn how
to exploit the vulnerabilities. This is especially true in the open
source community where the tension between what's public and what's
private is particularly high. ISS X-Force's guidelines are exemplary in
their respect for both the dangers and requirements of vulnerability
disclosure. Others in the field should take note."
Internet Security Systems X-Force guidelines contain a four-phase
process, which includes the Initial Discovery Phase, Vendor Notification
Phase, Customer Notification Phase and Public Disclosure Phase. The
process and procedures outlined in the guidelines are the same for all
vendors. The ISS X-Force defines a vendor as any company, group or
organization that develops and provides software, hardware or firmware
applications either for sale or as part of a free distribution. The ISS
Vulnerability Disclosure Guidelines are available for public review in
their entirety on the Internet Security Systems web site at
guidelines may change from time to time to reflect current best
As a founding member of the Organization for Internet Safety (OIS),
Internet Security Systems has worked closely with committee members to
ensure the guidelines conform to industry best practices. ISS also
sought input on the guidelines from additional public and private
organizations in order to develop a document that effectively reflects
the efforts and concerns resonating throughout the security industry
with regards to responsible disclosure of security vulnerabilities.
Full-Disclosure - We believe in it.
Full-Disclosure - We believe in it.