A Modest Proposal--Or An Impossible Task? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News

A Modest Proposal--Or An Impossible Task?

New suggested guidelines address how bug-finders should report vulnerabilities to software companies and how vendors should respond.

A team of security researchers is proposing a new set of standards for the way software vulnerabilities are discovered and publicized, addressing a growing debate over industry practices.

Software vulnerabilities discovered by researchers and users are reported in a haphazard fashion, with some bug-spotters immediately posting them on the Internet and others reporting them privately to the software makers. The new proposal aims to set a standard process for reporting bugs, thus providing "a means to address the common goal of providing more secure products while reducing the risk to customers," according to the paper.

The paper recommends that bug-finders adhere to responsible reporting practices, verifying their discoveries and contacting vendors before publicizing vulnerabilities. In turn, software makers would be expected to respond quickly to those reports and provide information about their progress in closing the holes. The process would require vendors to respond to bug reports within seven days and would set limits on how long they have to fix the problems.

Some security researchers are critical of that idea. "I think it's too anti-vendor," says Russ Cooper, editor of security mailing list NTBugtraq. "What if I'm a small vendor and this week my push is getting a new version out, and I just don't have time to fix a bug right now? It's not always possible to define the problem in the period of time that you are given."

The proposal, known as an Internet draft, was written by Steve Christey of government technology contractor Mitre Corp. and Chris Wysopal of security consulting firm @Stake Inc. It has been submitted for comment to the Internet Engineering Task Force, an international organization of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet.

The complete text of the proposal can be found at http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Commentary
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Commentary
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
Register for InformationWeek Newsletters
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll