As the debate over the responsible handling of vulnerability warnings continues to grow, the Organization for Internet Safety (OIS) is proposing the use of binding arbitration to resolve conflicts and deadlocks between vendors and researchers.
The OIS, a consortium of software vendors, security researchers and
consultancies, issued a preliminary draft of best practices for
reporting and responding to security vulnerabilities that included the
recommendation that an arbitrator be asked to adjudicate a dispute over how
a vulnerability alert should be issued.
The guidelines come on the heels of two major quarrels in recent months
over the issue of responsible reporting and response from the vendor
community. Just last week, Spi Dynamics released
details of multiple security holes in the Sun ONE Application Server 7.0
without the availability of a patch or workaround from Sun Microsystems
Spi Dynamics claimed it had exhausted all avenues for communication with
the company before it decided to run with its warning.
Before that, the Apache Software Foundation (ASF) was involved in a public
spat with the Internet Security Systems (ISS) over the way a warning
about a security hole in the Apache HTTP Server was handled. In that case,
an easy-to-use exploit for the hole was circulating on the Internet before
Apache got a chance to plug the vulnerability. Apache officials were upset
they weren’t first notified before the ISS issued its advisory, a normal
procedure when bugs are detected.
With the issue apparently heading for a boiling point, the OIS has set out a specific
time frame in which the vendor and researcher must deal with each other.
“By convention, 30 calendar days [have] been established as a good starting
point for the discussions, as it often provides an appropriate balance
between timeliness and thoroughness,” the group recommended, noting that
there was no single universally appropriate timeframe for investigating and
remedying security vulnerabilities.
“The Finder and Vendor must work together to develop a target timeframe
that balances the risk posed by a particular vulnerability versus the
engineering challenges associated with thoroughly investigating and
effectively remedying it,” it added.
Within that agreed-upon timeframe, the OIS proposes that predictable and
regular communications occur between the Finder and Vendor. “Within seven
calendar days of receiving the Finder’s report, the Vendor acknowledges its
receipt. Thereafter, the Vendor provides status updates every seven
calendar days, unless a different interval has been mutually agreed to. If
the Finder does not receive these communications, it sends a request to the
Vendor, which the Vendor responds to within three calendar days,” according
to the draft guidelines.
Once the investigation is complete and a remedy has been delivered, one
additional timeline remains for regulating the release of details that could
lead directly to attacks if misused. The Finder and Vendor observe a 30-day
grace period beginning with the release of the remedy, during which they
provide such details only people and organizations that play a critical role
in advancing the security of users, critical infrastructures, and the
Internet. Upon the expiration of the grace period, these details can be
shared more broadly,” the group said.
The draft guidelines, which will be circulated over the next 30 days for
public comment, insists on a mutual way to work around irreconcilable
disagreements. “They (vendors and finders) should consider involving an
Arbitrator, to review each party’s claims and adjudicate the dispute. The scope of the Arbitrator’s engagement should be clearly spelled out, including whether both parties agree to be bound by its findings,” the group
Placing a great emphasis on the need for trustworthy communication
between all parties. “A key principle of security reporting and response is
that the best results occur when the Finder and Vendor establish effective
communications and maintain them throughout the investigation process, and
develop mutually acceptable solutions.”
“Indeed, this process exists to provide a framework in which this can
occur easily and, whenever possible, both Finder and Vendor should work
within the process to resolve any conflicts, deadlocks, or communications
breakdowns that may arise,” it added.
“More often, communication failures result from benign causes such as
human error or temporary e-mail outages; likewise, even reasonable people
can disagree about the most appropriate solution to a complex problem. With
this in mind, and recognizing the risk that security vulnerabilities pose,
several guiding principles should be observed when considering exiting this
process to resolve a deadlock,” according to the detailed guidelines.
The group urged that an exiting of the communication the process be done
“only after exhausting reasonable efforts.”
“For instance, many Finders and Vendors employ a ‘three strikes’ policy,
under which they will declare a deadlock only if three independent attempts
have failed to resolve the communications problem or disagreement. Exit the
process only after providing notice. One party’s decision to exit the
process should not be a surprise to the other party,” the group
Members of OIS include @stake, BindView Corp., The SCO Group, Foundstone,
Guardent, Internet Security Systems, Microsoft, Network Associates, Oracle,
SGI and Symantec.