[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40E9AC5A.2000506@isecom.org>
From: pete at isecom.org (Pete Herzog)
Subject: Re: Public Review of OIS Security Vulnerability Reporting and Response
Guidelines
All,
The number of researchers locked out of this opinion piece are not alone
in questioning the motives of the OIS. I can only speak for myself but
this process of vulnerability reporting that the OIS suggests is elitist
and unethical. Much more unethical than the releasing of information
publicly to all even if no fix is available.
That there are significant problems with the OIS guidelines is an
understatement. While I agree that there is a need for proposing
guidelines, the actual premise of these particular guidelines
essentially proposes less security. And while the OIS claims it will
not be made into law (http://www.oisafety.org/about.html#6) there is
serious doubt on this premise
(http://www.sbq.com/sbq/vuln_disclosure/sbq_disclosure_liability.pdf) as
existing laws may already be applicable and sure to cause a chilling
effect on security research if these guidelines turn up the heat. Then
the "30 days to disclosure" has no consequence if the research can't be
made in the first place. It would seem that puts the vendor under less
pressure and not more
(http://att.com.com/Panel+defends+flaw+disclosure+guidelines/2100-1002_3-5057914.html).
Another problem is that OIS refused to give independent security
researchers a voice (http://www.oisafety.org/about.html#3) which is the
exact opposite of the claim that the process will actually meet the
needs of the security community (http://www.oisafety.org/about.html#4).
There can be no positive, security reason for this. Are we to assume
that, as according to your guidelines, you will take feedback from all
who are not independent security researchers? How is that label even
defined? How is one a "dependent security researcher" if not dependent
to the vendor?
As if locking out non-vendor-related researchers is not enough, it
becomes even more suspect. Section 2.3 Timeline proposes that the
system be elitist with no mention of how these first-choice groups are
who get the information or how abuse will be handled by those who break
the OIS code of ethics for sharing it with customers, selling it or
auctioning this early warning information. If exploit code is not
allowed and OIS has "no illusions"
(http://www.oisafety.org/about.html#12) that others may already have it,
then why the elitism on who gets to know about it first? This brings me
to the key issue.
The largest problem is that these guidelines don't scale much past the
present where vulnerabilities at worst cause a loss of money. Therefore,
I can't imagine a future where it works when human lives are directly
affected. Vulnerability disclosure aside, it's always better to have
the choice to hear warnings and make rational choices on those warnings
because only the choice maker knows the true value of those choices.
OIS is proposing otherwise (http://www.oisafety.org/about.html#10 and
the "...no illusions...." in
http://www.oisafety.org/about.html#12). Witholding information in an
elitist manner and not giving the public the choice to make their own
security decisions is wrong and unethical.
The OIS committee and guidelines as they stand are absolutely the wrong
foot forward to this future. Not only security researchers should be
angry with this proposal.
Sincerely,
-pete.
Pete Herzog
Managing Director, ISECOM
www.isecom.org
dave wrote:
> Nobody trusts the OIS or its motives. I imagine this is similar to the
> feedback you've gotten from everyone else as well, but Immunity has no
> plans to subscribe to your guidelines, and is going to oppose any
> efforts you make to legislate those guidelines as law. In section 1.1
> the draft proposes that the purpose of the OIS's model is to protect
> systems from vulnerabilities. This is fairly obviously untrue - the
> purpose of the OIS is to lobby towards a business model for Microsoft
> and the other OIS members that involves the removal of non-compliant
> security researchers.
>
> This call for feedback is a thinly disguised attempt to get public
> legitimacy and allow the OIS to claim it has community backing, which it
> clearly does not.
>
> It's rare, but there are still security companies and individuals who do
> not owe their entire business to money from Microsoft. It's July 4th.
> and some of us are Americans who understand the concept of independance.
>
> Dave Aitel
> Immunity, Inc.
>
>
>
>
> OIS wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> The Organization for Internet Safety (OIS) extends an invitation to
>>
Powered by blists - more mailing lists