Group pushes standards for security disclosure

From...

By Jaikumar Vijayan

(IDG) -- Microsoft Corp. and a handful of security firms have formed an alliance to propose standards that would give vendors time to fix security flaws in their software before those vulnerabilities are publicly disclosed.

The as-yet-unnamed group was formed at Microsoft's recent Trusted Computing Conference. Its goal is to create consensus and standards regarding the disclosure of security flaws and information on how to exploit them, said Eddie Schwartz, an analyst at Guardent Inc. in Waltham, Mass. Guardent is one of five security firms to join the effort.

"We want to create an atmosphere where people are more responsible with the disclosure of vulnerability information," Schwartz said. "Right now, it is way too ad hoc."

The tendency to indiscriminately publish information on how to exploit software flaws has led to considerable damage in the past, he said. The aim of the group isn't to stifle the disclosure of vulnerability information, but to prevent such information from being prematurely published, Schwartz said.

IDG.net INFOCENTER Computerworld main page Computerworld's topic-oriented communities Computerworld's IT career center Free daily newsletters Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

Under one proposed guideline, people who find a software flaw would wait at least 30 days before releasing details on how to exploit it. Software vendors would use that period to develop and distribute patches to customers. The guidelines would be voluntary, since the group has no enforcement authority.

The group said it will also work to ensure that vendors respond in a responsible and expeditious manner when providing information about a security flaw.

The effort comes just a few weeks after a Microsoft security manager published a scathing document on the company's Web site lashing out at the "information anarchy" that currently exists with respect to vulnerability disclosures.

But some users are less than enthusiastic about the alliance's efforts. "Quite frankly, I think the 30-day grace period is just another way for Microsoft and others to once again remove themselves from their responsibility for developing quality software before it hits the streets," said John Cowan Jr., an IT manager at Louisville, Ky.-based Caldwell Industries Inc., in an e-mail.

A 30-day moratorium on vulnerability disclosure wouldn't be good for business customers or the consuming public, said Lowell T. Byrd, a vice president at The Insight Group, a Lewes, Del.-based health care and high-tech management consulting firm.

"I would much rather see the vulnerability information remain in the free market so that the good guys can work on protecting themselves even while the bad guys continue their exploitation," he said.