Security Firm Rewrites Rules on Disclosing Flaws

Internet Security Systems, which has been criticized for publicly releasing information about security problems in software before giving application developers time to deal with holes, has issued a revised set of guidelines for how it will handle security warnings.

The Atlanta-based ISS posted the guidelines on its Web site Monday, along with a statement from Chris Rouland, director of the company's X-Force group of security experts, whose aim is to determine online threats and issue information about them. Security researchers need to have standards that take into account the public's need to know about vulnerabilities but also "give ample consideration to software vendors working to remedy issues in their products," the statement said.

The guidelines, posted as a six-page document, include four phases: discovery, vendor notification, customer notification, and public disclosure. The guidelines are the same for all vendors, so developers of open-source software and proprietary developers receive equal treatment.

The change in ISS guidelines follows criticism of the company for releasing information in June about problems with the widely used Apache Web server software without giving developers much time to tend to the holes first.

Under the guidelines, which are dated November 18, X-Force will document security vulnerabilities in a draft advisory and then create a brief about the problem. Next, X-Force will contact the affected vendor, which is defined as a company, group, or organization that develops and provides software, hardware, or firmware for sale or free.

X-Force will work with the vendor to reproduce the vulnerability and provide information about it, and may also help with testing patches or workarounds.

Vendors will have 30 days after the initial notification from X-Force to come up with a fix unless a different agreement is in place. X-Force has a list of procedural exceptions when faster disclosure will occur: The vendor issues a patch or announcement; an in-depth discussion of the problem occurs on a public mailing list; active exploitation of any form of the vulnerability occurs on the Internet; ISS receives reliable evidence that a vulnerability is in the wild; the media reports the vulnerability; or the vendor is unresponsive.

Under the usual procedure, though, X-Force will wait the 30 days and then contact the nonprofit research company Mitre to receive a common vulnerability and exposures candidate number that sets a standard name for the vulnerability.

Before taking the advisory public, X-Force will send a final advisory draft to the vendor for review and comment, and reserves the right to notify or coordinate with third-party groups or government entities during the process of releasing the advisory.

The security brief will be made available to X-Force Threat Analysis Service customers one business day after the initial vendor notification. X-Force will revise security briefs if additional information emerges during development of the advisory.

After the 30-day period is up, X-Force will publicly release the security brief to a number of mailing lists, forums, and groups, and will post it on its Web site and through its Threat Analysis Service.