ISS Goes Public with Disclosure Policy

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
In the face of public criticisms over its handling of software security alerts, Atlanta-based Internet Security Systems on Monday went public with its Vulnerability Disclosure Guidelines, maintaining subscribers to its X-Force Threat Analysis Service will be warned of new vulnerabilities one business day after the affected vendor is notified.

The public release of the Disclosure Guidelines comes just weeks after security experts chided ISS for releasing information about security flaws in the BIND server and Sun's Solaris Font Service without giving the affected vendors enough time to issue patches or fixes.

In the case of the Solaris flaw, the ISS X-Serve Unit detected the security hole and released the information before Sun could issue a comprehensive fix. As it is, only a workaround could be made available to users of the Solaris Font Service.

But ISS is maintaining that customers who subscribe to its Threat Analysis Service will get early warnings and information of any counter-measures that may be available shortly after the software vendor is notified.

The ISS Guidelines, which were updated to "clearly define and communicate" the processes to the vendor community, spell out the procedure used to issue security advisories once a vulnerability is detected.

The guidelines appear fairly standard and a spokesman for the ISS told internetnews.com that it does not contain any major changes from the existing policy. "X-Force's definition of a vendor or proper vendor notification has not changed, but this document clearly communicates to the industry how we define a vendor and proper vendor notification," the spokesman said.

ISS also maintained it would publicly warn of new flaws 30 days (or sooner) after the affected vendor is contacted unless special arrangements dictate otherwise.

It also retained the right to issue an advisory if reports of a vulnerability are made available on a public mailing list, in a news article, or if a vendor is unresponsive to its initial notification. In those cases, ISS said it would speed up the public release of its alert.

"The guidelines align with the efforts of the U.S. government and other organizations to promote responsible disclosure of newly discovered computer network vulnerabilities. The guidelines aim to balance the need of the public to receive timely, critical information on newly discovered vulnerabilities with software vendors' need for sufficient time to correct security issues identified in their products," ISS said.

Earlier this year, the government urged "white hat" hackers to avoid full disclosure of vulnerabilities. Richard Clarke, President Bush's special advisor for cyberspace security, said security professionals have an obligation to be responsible with the disclosure of security vulnerabilities. They should first report vulnerabilities to the vendor who makes the software in which the vulnerability is found, and then tell the government if the vendor doesn't take action.

Only after a patch for the vulnerability is distributed, Clark told an IT security audience, should others be notified about the vulnerability. "It's irresponsible and sometimes extremely damaging to release information before the patch is out.

In a statement Monday, Director of ISS X-Force Chris Rouland alluded to the recent interest in the way discovery and disclosure of security flaws are handled. "Security research organizations need to implement standards that reflect the public's need to know vital information about vulnerabilities in a timely manner, but that also give ample consideration to software vendors working to remedy issues in their products, so that the public is not put at risk without a corrective action available," Rouland said.

"We believe that publishing our current guidelines will help with the dialog and encourage other security research organizations to implement similar procedures," he added.