A proposal for a new process for disclosing security vulnerabilities has reignited the old debate over how flaws should be published and whether theres any way to regulate the process.
The document, titled “Responsible Disclosure Process,” outlines a detailed, step-by-step process for everyone involved in the discovery and reporting of vulnerabilities—including researchers, vendors and third-party security experts.
Written by Chris Wysopal, director of research and development at @Stake Inc., in Cambridge, Mass., and Steve Christey, lead information security engineer at The Mitre Corp., based in Bedford, Mass., the document was forwarded to the Internet Engineering Task Force last week.
Its release comes at a time when the security community is struggling to find a common policy for vulnerability disclosure that is acceptable to everyone involved. This is a goal that many acknowledge may be unrealistic, considering the vastly differing motivations of the various players.
Wysopal and Christeys document, known as an Internet-Draft in IETF terminology, suggests that vendors work closely with the researchers who discover security flaws and keep them updated as the vendors work on patches or workarounds for vulnerabilities. Specifically, the proposal asks that vendors acknowledge receipt of the vulnerability report within seven days and provide a detailed response within 10 days.
The document also suggests that the vendor contact the person who found the flaw, called a “reporter” in the document, every seven days during the patch-research process and try to resolve the vulnerability within 30 days.
The proposal also lays out specific behavior for the reporters, a group that includes legitimate security researchers in corporate labs, hackers, researchers at security vendors looking for free publicity and any number of other participants.
However, some critics say the proposal is too detailed and lacks a set of consequences for researchers and vendors that fail to adhere to it.
“In general, I think its too detailed and long, fails to define repercussions if its not adhered to, puts too much onus on vendors, and fails to put enough responsibility on discoverers,” said Russ Cooper, surgeon general at TruSecure Corp., based in Herndon, Va.
“In my mind, you have to penalize those people who perpetrate attacks and those people who dont adequately secure the systems and networks they own or run,” said Cooper. “You crack down at the ISPs and make them do more to limit the effects of globally disseminated information.”