Proponents of an effort to standardize the handling of computer security vulnerabilities today aborted the effort after receiving critical comments from reviewers.
In a message today to members of the Internet Engineering Task Force's Security Area Advisory Group, the authors announced they were withdrawing the draft in response to feedback from members who felt the document was not appropriate for the IETF "since it does not deal with technical protocols."
The proposed standard, laid out in a document called "Responsible Vulnerability Disclosure Process," was submitted last month to the IETF, an Internet standards body, by Steve Christey and Chris Wysopal, security researchers from Mitre Corp. and AtStake, respectively.
The document proposed a set of "best practices" to be used by product vendors, security researchers and others involved in the disclosure of computer security flaws.
Under the proposed standard, discoverers of security bugs will honor a 30-day grace period after reporting a security flaw to a vendor before disclosing details of the vulnerability. Vendors in turn are to acknowledge reports of bugs within seven days, and to set up a special e-mail address for receiving reports.
"There does not appear to be any way to achieve consensus on that issue, regardless of the merits of the current draft or any future document that may attempt to describe disclosure recommendations," said Christey in the message today.
The announcement of the proposed standard's demise stated that the authors are "currently identifying other forums that may be more suitable for discussion of the current document and future revisions. If we can't find such a forum, we will create one."
While many security researchers and vendors already follow the practices detailed in the proposed IETF standard,
Some security researchers expressed concerns that codifying a reporting standard could have negative consequences. In a posting to the SAAG mailing list last month titled "Thanks, I am not buying this RFC," Georgi Guninski, a Bulgarian security consultant, stated that the proposed standard could allow vendors to label bug finders as "irresponsible while shifting the focus from their buggyware."
News source: Newsbytes
View: IEFT - Responsible Vulnerability Disclosure Process
In a message today to members of the Internet Engineering Task Force's Security Area Advisory Group, the authors announced they were withdrawing the draft in response to feedback from members who felt the document was not appropriate for the IETF "since it does not deal with technical protocols."
The proposed standard, laid out in a document called "Responsible Vulnerability Disclosure Process," was submitted last month to the IETF, an Internet standards body, by Steve Christey and Chris Wysopal, security researchers from Mitre Corp. and AtStake, respectively.
The document proposed a set of "best practices" to be used by product vendors, security researchers and others involved in the disclosure of computer security flaws.
Under the proposed standard, discoverers of security bugs will honor a 30-day grace period after reporting a security flaw to a vendor before disclosing details of the vulnerability. Vendors in turn are to acknowledge reports of bugs within seven days, and to set up a special e-mail address for receiving reports.
"There does not appear to be any way to achieve consensus on that issue, regardless of the merits of the current draft or any future document that may attempt to describe disclosure recommendations," said Christey in the message today.
The announcement of the proposed standard's demise stated that the authors are "currently identifying other forums that may be more suitable for discussion of the current document and future revisions. If we can't find such a forum, we will create one."
While many security researchers and vendors already follow the practices detailed in the proposed IETF standard,
Some security researchers expressed concerns that codifying a reporting standard could have negative consequences. In a posting to the SAAG mailing list last month titled "Thanks, I am not buying this RFC," Georgi Guninski, a Bulgarian security consultant, stated that the proposed standard could allow vendors to label bug finders as "irresponsible while shifting the focus from their buggyware."
News source: Newsbytes View: IEFT - Responsible Vulnerability Disclosure Process
"We have strong relationships with many of the state attorneys general," said Microsoft spokesman Jim Desler. "We work with them on various activities and initiatives. On this issue, we agree to disagree. While the states do have a role in antitrust enforcement, the non-settling states stepped outside the boundaries of that role when they chose to pursue a different course from the Justice Department, resulting in conflicting national competition policy."
In making the filing, the states are trying to protect their sovereignty over antitrust matters, something a dismissal could potentially undermine, said legal experts.
"There are a lot of us who, having done antitrust defense, would like to see this whole dual-sovereignty issue resolved," said Emmett Stanton, an antitrust lawyer with Fenwick & West in Palo Alto, Calif. "If there was a case to challenge this, this would be the one."
The "friends of court" briefs filed by the 25 states were not expected, but a third brief from the litigating states came as no surprise. The states rebutted Microsoft's request more in the context of the overall antitrust case than in regard to the sovereignty issue.
They argued that Microsoft's request is "effectively, a motion to set aside the Court of Appeals' mandate."
In June 2000, seven judges unanimously upheld eight separate antitrust violations against Microsoft.
The filings could give the litigating states important air cover as they return to court next week for what could be as much as eight weeks of testimony. They are looking for stiffer sanctions than those proposed by the Justice Department and the settling states. The settlement largely puts restrictions on Microsoft's business practices. The litigating states also want restrictions on how Microsoft develops and deploys software.
While overseeing the settlement proceeding, Kollar-Kotelly must weigh whether the settlement meets the standard demanded by the Nixon-era Tunney Act. That law requires that a settlement be in the public interest and that no backroom dealmaking influence the process. Kollar-Kotelly could reject or approve the proposed deal at any time.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.