isn't perfect and neither is the software he writes.
So when a security consultancy finds a hole or bug in
some application, it is quick to announce this to the
world, without giving the developer time to fix the
hackers gleefully use this information for their own
gain. But this may soon change if the efforts of an
industry group are successful. According to a proposed
rule, consultants who find bugs in software will now
have to wait at least 30 days before trumpeting this
to the world. That would give developers sufficient
time to come up with
The Group which calls itself the Organization for Internet
Safety (OIS), comprises eleven software makers and security
firms. It recently announced that it intends to devise
rules regarding how the security community should responsibly
release information on software flaws.
The group's membership includes security companies like
@Stake, BindView, Foundstone, Guardent, ISS, NAI, and
Symantec, as well as software makers Caldera International,
Microsoft, Oracle and SGI.
The OIS says its charter is to make it easier for security
researchers and vendors to work together to fix security
Through a statement posted on its website (www.oisafety.org/about.html),
the OIS says, "Today, there are no agreed-upon
processes for handling security vulnerabilities. Every
vendor has different expectations about how security
researchers should report newly discovered vulnerabilities,
the amount and type of information they should provide,
and so forth. Likewise, every security researcher has
different expectations about how often a vendor should
provide status on ongoing investigations, give credit
to the finder, and so forth."
The lack of any consensus procedures complicates the
process of fixing vulnerabilities, and ultimately increases
the risk that all computer users face.
OIS was formed as a unique partnership between leading
security researchers and vendors, for the purpose of
proposing such processes.