mailing list archives
Re: Public Review of OIS Security Vulnerability Reporting and Response Guidelines
From: Pete Herzog <pete () isecom org>
Date: Mon, 05 Jul 2004 21:30:34 +0200
The number of researchers locked out of this opinion piece are not alone
in questioning the motives of the OIS. I can only speak for myself but
this process of vulnerability reporting that the OIS suggests is elitist
and unethical. Much more unethical than the releasing of information
publicly to all even if no fix is available.
That there are significant problems with the OIS guidelines is an
understatement. While I agree that there is a need for proposing
guidelines, the actual premise of these particular guidelines
essentially proposes less security. And while the OIS claims it will
not be made into law (http://www.oisafety.org/about.html#6) there is
serious doubt on this premise
existing laws may already be applicable and sure to cause a chilling
effect on security research if these guidelines turn up the heat. Then
the "30 days to disclosure" has no consequence if the research can't be
made in the first place. It would seem that puts the vendor under less
pressure and not more
Another problem is that OIS refused to give independent security
researchers a voice (http://www.oisafety.org/about.html#3) which is the
exact opposite of the claim that the process will actually meet the
needs of the security community (http://www.oisafety.org/about.html#4).
There can be no positive, security reason for this. Are we to assume
that, as according to your guidelines, you will take feedback from all
who are not independent security researchers? How is that label even
defined? How is one a "dependent security researcher" if not dependent
to the vendor?
As if locking out non-vendor-related researchers is not enough, it
becomes even more suspect. Section 2.3 Timeline proposes that the
system be elitist with no mention of how these first-choice groups are
who get the information or how abuse will be handled by those who break
the OIS code of ethics for sharing it with customers, selling it or
auctioning this early warning information. If exploit code is not
allowed and OIS has "no illusions"
(http://www.oisafety.org/about.html#12) that others may already have it,
then why the elitism on who gets to know about it first? This brings me
to the key issue.
The largest problem is that these guidelines don't scale much past the
present where vulnerabilities at worst cause a loss of money. Therefore,
I can't imagine a future where it works when human lives are directly
affected. Vulnerability disclosure aside, it's always better to have
the choice to hear warnings and make rational choices on those warnings
because only the choice maker knows the true value of those choices.
OIS is proposing otherwise (http://www.oisafety.org/about.html#10 and
the "...no illusions...." in
http://www.oisafety.org/about.html#12). Witholding information in an
elitist manner and not giving the public the choice to make their own
security decisions is wrong and unethical.
The OIS committee and guidelines as they stand are absolutely the wrong
foot forward to this future. Not only security researchers should be
angry with this proposal.
Managing Director, ISECOM
Nobody trusts the OIS or its motives. I imagine this is similar to the
feedback you've gotten from everyone else as well, but Immunity has no
plans to subscribe to your guidelines, and is going to oppose any
efforts you make to legislate those guidelines as law. In section 1.1
the draft proposes that the purpose of the OIS's model is to protect
systems from vulnerabilities. This is fairly obviously untrue - the
purpose of the OIS is to lobby towards a business model for Microsoft
and the other OIS members that involves the removal of non-compliant
This call for feedback is a thinly disguised attempt to get public
legitimacy and allow the OIS to claim it has community backing, which it
clearly does not.
It's rare, but there are still security companies and individuals who do
not owe their entire business to money from Microsoft. It's July 4th.
and some of us are Americans who understand the concept of independance.
-----BEGIN PGP SIGNED MESSAGE-----
The Organization for Internet Safety (OIS) extends an invitation to
Full-Disclosure - We believe in it.