Net group wants input on vulnerability reporting guide

The Organization for Internet Safety is soliciting comments on its guidelines for reporting and responding to software security vulnerabilities.

OIS, a consortium of software vendors, researchers and security consultants, released the guidelines in July 2003, hoping to bring some order to the continual struggle between code makers and code breakers. The second version is expected to be available in mid-July.

OIS hopes to address some issues in the second release that were sidestepped in the first edition, such as what role?if any?the government should play in vulnerability reporting.

That was one of the few issues on which the drafters could not come to any clear consensus last year, said Scott Blake, vice president of information security for BindView Corp. of Houston and chairman of the OIS communications committee.

"We're hoping to get some additional comment on that that would help sway us," Blake said. "It is not abundantly clear to us what the right thing to do is."

The voluntary guidelines, available on the OIS Web site, are an effort to balance the public's right to know about possible software problems against the need for vendors to correct those problems before they are made public.

They call for:

  • cooperation between the discoverer of a flaw and the software vendor

  • a waiting period, typically 30 days, to let a vendor correct a problem before it is publicly announced

  • a 30-day grace period to let users fix their systems before technical details that could help attackers are released.

The issue of vulnerability reporting has been a contentious one in security circles. Some assert that the only way to ensure that software makers fix problems is to publicly expose them. Others contend that vendors should be given a chance to fix problems before they are publicly announced and hackers have a chance to exploit them.

Government advisers have called early public release of vulnerabilities irresponsible. Government organizations such as the US Computer Emergency Readiness Team have played a role in timing the release of information on a number of serious vulnerabilities.

Another issue OIS hopes to address is how to deal with problems found in open source software, where there is no clear-cut owner.

Blake said OIS accepts comments on the guidelines year-round, but that "a comment period focuses people's attention on the process."

Many of the comments received in the past year tend to cancel each other out, Blake said. Some feel the guidelines are too loose, others feel they are too stringent. "If nobody is completely happy, we probably are about right," he said.

Comments are being accepted through June 24 at Details for the comment process are available at

About the Author

William Jackson is a Maryland-based freelance writer.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here


  • POWER TRAINING: How to engage your customers

    Don't miss our Aug. 2 Washington Technology Power Training session on Mastering Stakeholder Engagement, where you'll learned the critical skills you need to more fully connect with your customers and win more business. Read More


    In our latest Project 38 Podcast, editor Nick Wakeman interviews Tom Romeo, the leader of Maximus Federal about how it has zoomed up the 2019 Top 100. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.