Vendors form group to regulate security disclosures

Microsoft Corp. is among five security vendors lobbying to invoke standards and best practices pertaining to the release of information about security vulnerabilities.

The group, which unveiled its intentions at Microsoft's Trusted Computing Forum 2001 this week, also includes security companies Guardent, Internet Security Systems (ISS), @stake, Foundstone, and Bindview.

News of the newly formed contingent and its mission has already drawn jeers from some sectors. Pundits argue that security information disseminated and revealed in newsgroups and security newsletters does more harm than good and should not be governed by any central body - particularly vendors with product or services sales to consider in their efforts.

The security group has come together to bring a sense of managed control and responsibility to the escalating problem of viruses, including Nimda and Code Red I, II, and other computer attacks that have bombarded end-users during the past half-year, said Eddie Schwartz, COO of Waltham, Mass.-based Guardent Inc.

"Our customers are getting beaten up. They're pulling out their hair and saying 'What can I do to get a grip on this stuff?'" Schwartz said. "To publish [code] scripts that basically down a server, or destroy data -- that's completely irresponsible. It's silly that all of us that have the ability to control this outcome and don't do something less destructive."

According to Schwartz, the five companies have worked together assembling the parameters of the initiative for the past few months. Under its plan, vendors or clients who discover vulnerabilities would agree to a 30-day "period of conduct" or grace period of disclosure of the vulnerability, thereby allowing the security vendors sufficient notice to prepare proper fixes and defenses against it. But he said Perl scripts or C programs or tools that could evasively exploit the vulnerability will not be released.

Microsoft has not proven shy in its efforts to rally the cry to stop proliferation of vulnerability information. Last month, Scott Culp, manager of the Redmond, Wash.-based software giant's security response center, wrote a paper about the subject denouncing the situation as "information anarchy."

Schwartz said during the next 30 days the group will attempt to set up guidelines, recruit new companies as members, and establish standards and bylaws. During that time he said it will decide upon a name and hammer out its bylaws, seek to accept the membership of major systems vendors such as Cisco Systems Inc., Hewlett-Packard Co., and Sun Microsystems Inc., and present its proposal to the RFC at ITEF for a peer review.

Although law enforcement will be kept abreast of developments, Schwartz said it has yet to be decided if all group security members will receive vulnerability information from any of its membership, or if that information will be shared with affiliated member groups.

He said the newly formed vulnerability disclosure group is willing to accept any qualified security expert or hobbyist at its table, but only if they agree to follow the strict rules it sets fourth.

"We have to self-regulate on this issue. You can play in this [security] space effectively but the trick is you have to agree to sign up for these principles and behave yourself," Schwartz added.

An outcry is being voiced by members of the security developer community, most notably those affiliated with the popular BugTraq security mailing list who see regulation pitfalls and vendor personal interests interfering with its mission of providing users with extra protection.

"What we're seeing here is the beginning of a vulnerability-information cartel. Most of these companies use this information on a daily basis to create products or sell services to customers," said Elias Levy, CTO of San Mateo, Calif.-based Securityfocus.com and moderator of BugTraq. "The idea that suppressing [vulnerability] information will make [malicious hackers and/or code writers] go away is false.

Levy said security developers and network administrators who depend on the dissemination of security vulnerabilities to create patches or solve security problems within their enterprise will be hamstrung if the flow of information is culled or altogether stopped by the new security group. Also, he says there is not an effective means to traffic control of information by vendors to their designated sources.

"You have to remember that they're talking about a fairly large group of people to be included in this little 'cabal.' Companies, customers, or third parties -- we're talking about potentially thousand and thousands of people to gain access to this vulnerability information," Levy said.

Levy said oftentimes the security vendors' own tools available on their Web sites can become a much more dangerous form of attack if subverted by a hacker than common buffer overflows or similar "exploits" that the security group has vowed to stop.

Join the newsletter!

Error: Please check your email address.

More about CiscoFoundstoneGuardentHewlett-Packard AustraliaInternet Security SystemsISS GroupMicrosoftSecurityFocusSecurity Systems

Show Comments