[Full-Disclosure] ISS issues bug disclosure guidelines
guninski at guninski.com
Tue Dec 3 10:16:58 GMT 2002
Personally don't care about ISS's guidelines. Of course they can do whatever
they wish with their 0days.
*My* 0days are another topic. For them I care about applicable laws where I live
(and of course as this list shows, there are ways to post quite anonymously).
And this guideline:
Is much more apealing to me.
So after the responsibility rfc got busted, they are fighting at corporate
I am thinking about making entities on my black list (microsoft, securityfocus,
mitre, cert) beg for 0days in any form.
The idea is making a license agreement/non-disclosure agreement in the
publication/code which makes them not eligible to read/use the intellectual
property at all. A lawyer said this approach is legal (of course it is difficult
to enforce). In addition encoding like ROT13 may be used to prevent them from
reverse engineering the IP (cough cough DMCA) :). There are several precedents
of high profile code which forbids including in sf's vuln db.
Has anyone tried something like the above or has advice?
Richard M. Smith wrote:
> Internet Security Systems Issues Vulnerability Disclosure Guidelines,
> Aligns with National Efforts For Responsible Disclosure of Security
> ATLANTA, Ga. - December 2, 2002 - In its continuing effort to provide
> customers with the most reliable source of global security intelligence
> information, Internet Security Systems, Inc. (ISS) (Nasdaq: ISSX) today
> released its current Vulnerability Disclosure Guidelines. ISS'
> Vulnerability Disclosure Guidelines outline the process and procedures
> under which vulnerabilities that are researched and discovered by the
> ISS X-ForceT are disclosed to software and hardware vendors, customers,
> and the public. The X-Force is ISS' renowned security intelligence
> research and development team.
> "Responsible discovery and disclosure of security vulnerabilities
> continues to be a topic of great interest. It's under much scrutiny in
> the public and private sectors, and it should be, if the protection of
> critical infrastructures around the world is of any concern," said Chris
> Rouland, director, X-Force, Internet Security Systems. "Security
> research organizations need to implement standards that reflect the
> public's need to know vital information about vulnerabilities in a
> timely manner, but that also give ample consideration to software
> vendors working to remedy issues in their products, so that the public
> is not put at risk without a corrective action available. We believe
> that publishing our current guidelines will help with the dialog and
> encourage other security research organizations to implement similar
> The guidelines align with the efforts of the U.S. government and other
> organizations to promote responsible disclosure of newly discovered
> computer network vulnerabilities. The guidelines aim to balance the need
> of the public to receive timely, critical information on newly
> discovered vulnerabilities with software vendors' need for sufficient
> time to correct security issues identified in their products.
> "Computer users benefit when security researchers and software vendors
> work together to identify and eliminate security vulnerabilities
> quickly," said Scott Culp, Manager of the Microsoft Security Response
> Center. "We applaud ISS for taking a leadership role in this area and
> developing corporate guidelines that clearly reflect users' best
> Paul Vixie, Chairman of Internet Software Consortium, Inc., and main
> author of BIND-8, adds "when a vulnerability is discovered, it's very
> important to get fixes into the field as quickly as possible. But
> there's a tight balance between helping vendors and end-users protect
> their products and systems, as opposed to helping the bad guys learn how
> to exploit the vulnerabilities. This is especially true in the open
> source community where the tension between what's public and what's
> private is particularly high. ISS X-Force's guidelines are exemplary in
> their respect for both the dangers and requirements of vulnerability
> disclosure. Others in the field should take note."
> Internet Security Systems X-Force guidelines contain a four-phase
> process, which includes the Initial Discovery Phase, Vendor Notification
> Phase, Customer Notification Phase and Public Disclosure Phase. The
> process and procedures outlined in the guidelines are the same for all
> vendors. The ISS X-Force defines a vendor as any company, group or
> organization that develops and provides software, hardware or firmware
> applications either for sale or as part of a free distribution. The ISS
> Vulnerability Disclosure Guidelines are available for public review in
> their entirety on the Internet Security Systems web site at
> http://documents.iss.net/literature/vulnerability_guidelines.pdf. These
> guidelines may change from time to time to reflect current best
> As a founding member of the Organization for Internet Safety (OIS),
> Internet Security Systems has worked closely with committee members to
> ensure the guidelines conform to industry best practices. ISS also
> sought input on the guidelines from additional public and private
> organizations in order to develop a document that effectively reflects
> the efforts and concerns resonating throughout the security industry
> with regards to responsible disclosure of security vulnerabilities.
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Full-Disclosure is hosted and sponsored by Secunia.