Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Public Review of OIS Security Vulnerability Reporting and Response Guidelines
From: Pete Herzog <pete () isecom org>
Date: Mon, 05 Jul 2004 21:30:34 +0200


The number of researchers locked out of this opinion piece are not alone in questioning the motives of the OIS. I can only speak for myself but this process of vulnerability reporting that the OIS suggests is elitist and unethical. Much more unethical than the releasing of information publicly to all even if no fix is available.

That there are significant problems with the OIS guidelines is an understatement. While I agree that there is a need for proposing guidelines, the actual premise of these particular guidelines essentially proposes less security. And while the OIS claims it will not be made into law (http://www.oisafety.org/about.html#6) there is serious doubt on this premise (http://www.sbq.com/sbq/vuln_disclosure/sbq_disclosure_liability.pdf) as existing laws may already be applicable and sure to cause a chilling effect on security research if these guidelines turn up the heat. Then the "30 days to disclosure" has no consequence if the research can't be made in the first place. It would seem that puts the vendor under less pressure and not more (http://att.com.com/Panel+defends+flaw+disclosure+guidelines/2100-1002_3-5057914.html).

Another problem is that OIS refused to give independent security researchers a voice (http://www.oisafety.org/about.html#3) which is the exact opposite of the claim that the process will actually meet the needs of the security community (http://www.oisafety.org/about.html#4). There can be no positive, security reason for this. Are we to assume that, as according to your guidelines, you will take feedback from all who are not independent security researchers? How is that label even defined? How is one a "dependent security researcher" if not dependent to the vendor?

As if locking out non-vendor-related researchers is not enough, it becomes even more suspect. Section 2.3 Timeline proposes that the system be elitist with no mention of how these first-choice groups are who get the information or how abuse will be handled by those who break the OIS code of ethics for sharing it with customers, selling it or auctioning this early warning information. If exploit code is not allowed and OIS has "no illusions" (http://www.oisafety.org/about.html#12) that others may already have it, then why the elitism on who gets to know about it first? This brings me to the key issue.

The largest problem is that these guidelines don't scale much past the present where vulnerabilities at worst cause a loss of money. Therefore, I can't imagine a future where it works when human lives are directly affected. Vulnerability disclosure aside, it's always better to have the choice to hear warnings and make rational choices on those warnings because only the choice maker knows the true value of those choices. OIS is proposing otherwise (http://www.oisafety.org/about.html#10 and the "...no illusions...." in http://www.oisafety.org/about.html#12). Witholding information in an elitist manner and not giving the public the choice to make their own security decisions is wrong and unethical.

The OIS committee and guidelines as they stand are absolutely the wrong foot forward to this future. Not only security researchers should be angry with this proposal.


Pete Herzog
Managing Director, ISECOM

dave wrote:

Nobody trusts the OIS or its motives. I imagine this is similar to the feedback you've gotten from everyone else as well, but Immunity has no plans to subscribe to your guidelines, and is going to oppose any efforts you make to legislate those guidelines as law. In section 1.1 the draft proposes that the purpose of the OIS's model is to protect systems from vulnerabilities. This is fairly obviously untrue - the purpose of the OIS is to lobby towards a business model for Microsoft and the other OIS members that involves the removal of non-compliant security researchers.

This call for feedback is a thinly disguised attempt to get public legitimacy and allow the OIS to claim it has community backing, which it clearly does not.

It's rare, but there are still security companies and individuals who do not owe their entire business to money from Microsoft. It's July 4th. and some of us are Americans who understand the concept of independance.

Dave Aitel
Immunity, Inc.

OIS wrote:

Hash: SHA1

The Organization for Internet Safety (OIS) extends an invitation to

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]