As the debate over the responsible handling of vulnerability warnings continues to grow, the Organization for Internet Safety (OIS) is proposing the use of binding arbitration to resolve conflicts and deadlocks between vendors and researchers.
The OIS, a consortium of software vendors, security researchers and consultancies, issued a preliminary draft of best practices for reporting and responding to security vulnerabilities that included the recommendation that an arbitrator be asked to adjudicate a dispute over how a vulnerability alert should be issued.
The guidelines come on the heels of two major quarrels in recent months
over the issue of responsible reporting and response from the vendor
community. Just last week, Spi Dynamics released
details of multiple security holes in the Sun ONE Application Server 7.0
without the availability of a patch or workaround from Sun Microsystems
Spi Dynamics claimed it had exhausted all avenues for communication with the company before it decided to run with its warning.
Before that, the Apache Software Foundation (ASF) was involved in a public spat with the Internet Security Systems (ISS) over the way a warning about a security hole in the Apache HTTP Server was handled. In that case, an easy-to-use exploit for the hole was circulating on the Internet before Apache got a chance to plug the vulnerability. Apache officials were upset they weren't first notified before the ISS issued its advisory, a normal procedure when bugs are detected.
With the issue apparently heading for a boiling point, the OIS has set out a specific time frame in which the vendor and researcher must deal with each other.
"By convention, 30 calendar days [have] been established as a good starting point for the discussions, as it often provides an appropriate balance between timeliness and thoroughness," the group recommended, noting that there was no single universally appropriate timeframe for investigating and remedying security vulnerabilities.
"The Finder and Vendor must work together to develop a target timeframe that balances the risk posed by a particular vulnerability versus the engineering challenges associated with thoroughly investigating and effectively remedying it," it added.
Within that agreed-upon timeframe, the OIS proposes that predictable and regular communications occur between the Finder and Vendor. "Within seven calendar days of receiving the Finder's report, the Vendor acknowledges its receipt. Thereafter, the Vendor provides status updates every seven calendar days, unless a different interval has been mutually agreed to. If the Finder does not receive these communications, it sends a request to the Vendor, which the Vendor responds to within three calendar days," according to the draft guidelines.
Once the investigation is complete and a remedy has been delivered, one additional timeline remains for regulating the release of details that could lead directly to attacks if misused. The Finder and Vendor observe a 30-day grace period beginning with the release of the remedy, during which they provide such details only people and organizations that play a critical role in advancing the security of users, critical infrastructures, and the Internet. Upon the expiration of the grace period, these details can be shared more broadly," the group said.
The draft guidelines, which will be circulated over the next 30 days for public comment, insists on a mutual way to work around irreconcilable disagreements. "They (vendors and finders) should consider involving an Arbitrator, to review each party's claims and adjudicate the dispute. The scope of the Arbitrator's engagement should be clearly spelled out, including whether both parties agree to be bound by its findings," the group said.
Placing a great emphasis on the need for trustworthy communication between all parties. "A key principle of security reporting and response is that the best results occur when the Finder and Vendor establish effective communications and maintain them throughout the investigation process, and develop mutually acceptable solutions."
"Indeed, this process exists to provide a framework in which this can occur easily and, whenever possible, both Finder and Vendor should work within the process to resolve any conflicts, deadlocks, or communications breakdowns that may arise," it added.
"More often, communication failures result from benign causes such as human error or temporary e-mail outages; likewise, even reasonable people can disagree about the most appropriate solution to a complex problem. With this in mind, and recognizing the risk that security vulnerabilities pose, several guiding principles should be observed when considering exiting this process to resolve a deadlock," according to the detailed guidelines.
The group urged that an exiting of the communication the process be done "only after exhausting reasonable efforts."
"For instance, many Finders and Vendors employ a 'three strikes' policy, under which they will declare a deadlock only if three independent attempts have failed to resolve the communications problem or disagreement. Exit the process only after providing notice. One party's decision to exit the process should not be a surprise to the other party," the group implored.
Members of OIS include @stake, BindView Corp., The SCO Group, Foundstone, Guardent, Internet Security Systems, Microsoft, Network Associates, Oracle, SGI and Symantec.