Introduction

One of the ongoing discussions regarding security is about informing the public about new security risks. The two extremes are on one hand those who argue that knowledge about a newly discovered software vulnerability should be published in full extent immediately, and on the other those who maintain that such knowledge should not be published at all. In between these views is a variety of nuances, for example those who favour publishing the vulnerability after giving the vendor a warning in advance so that a security patch may be in place before the exposure is known to everyone.

There are strong reasons in favour of both views, for example:

The "full disclosure" camp argue:

• When a person/organization knows about a vulnerability it is highly probable that others do too, and the information should therefore be passed on so everyone can introduce the necessary protective measures.
• By exposing a vulnerability to the public the vendor is forced to address the problem much faster than otherwise.

The "restricted information" camp argue:

• Disclosing information about a security risk includes notifying a wider audience, and thereby increasing the risk that someone may exploit it.
• The vendor of the flawed software should always be admitted time to test the alleged vulnerability, develop a patch and test this thoroughly. This is for the benefit of all the involved parties.

Over time several individuals and organizations have tried to come up with compromises that take both views into consideration. None have so far been generally accepted. Interesting reading is the Full disclosure policy (version 2) by "rain forest puppy" - available here (opens in new window). This "RFPolicy" has been widely discussed and adopted by some as useful guidelines.

A draft (now expired) - Responsible Vulnerability Disclosure Process (2002.10.16: The page has been removed) - was submitted to the Internet Engineering Task Force (IETF) in February this year. This document is also recommended reading for those interested in the subject.

A new organization

In the end of September this year a new organization was founded - Organization for Internet Safety - OIS.

According to the press release 26 September, the organization was founded

(...) to propose and institutionalize industry best practices for handling security vulnerabilities to ensure that security and technology vendors, and security researchers, can more effectively protect Internet users. (...)

Currently, there are no widely accepted industry best practices for reporting and managing security vulnerabilities. The absence of common processes and best practices can make it extremely difficult for security researchers and vendors to efficiently resolve security issues and keep Internet users and security professionals informed and armed with the most up-to-date security tools. The OIS is founded on the principle that standardized, widely-accepted processes will allow security vulnerabilities to be handled in a way that reduces the dangers they pose and will help security vendors and researchers to more effectively protect Internet users and critical infrastructures.

(..)

The founding members constitute an impressive list of companies well-known in the Internet security area:

• @stake
• BindView Corp.
• Caldera International, Inc. (The SCO Group)
• Foundstone
• Guardent
• Internet Security Systems, Inc.
• Microsoft Corp.
• Network Associates
• Oracle Corporation
• SGI
• Symantec

As of this writing, this organization's web site is not very impressive with regard to content. Hopefully this will change as the organization grows more mature. It is safe to say that the founding members should have the resources available to make this one of the best web sites regarding Internet Safety.

One may hope that the Internet community can constitute a set of rules - that the majority of the parties involved - vendors as well as those who research security issues in any context - will comply to. It is of utmost importance for the security of the Internet that there is some kind of predictability regarding this vital issue.

Per Olav Førland