- A collection of security companies have formed a group to create standard policies and guidelines for how information about software security flaws is distributed and published.
Created during a series of workshops at Microsoft's three-day Trusted Computing Forum, one of the proposed guidelines would restrict those who find flaws in software products from publishing the methodology on how to exploit those holes for 30 days.
"The main concept is one of acting responsibly with respect to the disclosure of and fixing of vulnerabilities," says Eddie Schwartz, senior vice president and chief operating officer for security company Guardent. "Right now, it's the wild wild west and even well intentioned people don't know what to do."
The group proposed creating a "grace period" in which companies could plug any exploits and distribute patches and tools to customers without fear of any further exploits of the holes. The group will also create a set of procedures that software makers must follow to ensure that users are informed about risks and that vulnerabilities are fixed in a timely manner.
The group was initially backed by six companies, including Microsoft, which was the first software maker to come on board. It will urge independent security researchers, as well as major technology companies like Hewlett-Packard and Sun Microsystems to join Schwartz says. Founding members include @stake, Internet Security Systems, Bindview and Foundstone.
The issue is one that Microsoft is close to, as it has recently found itself responding to security holes discovered in its products. The company issued a security bulletin recently warning that information about "cookies" in its Internet Explorer 5.5 and 6.0 browsers can be exposed or altered, making personal information vulnerable (see IE hole reveals users' cookie data).
Craig Mundie, Microsoft's chief technology officer for advanced strategies, addressed similar security issues during the first day of the Trusted Computing Forum last Tuesday. Mundie went as far as comparing the malicious coders who have exploited holes in Microsoft's software to the terrorist cells behind the attacks on the US.
"The evolution of hacking is very, very akin to this network of terror cells," he said at the forum. "And there is the potential to treat them the way we treat terrorist cells."
Scott Culp, manager of Microsoft's security response centre who was present during the working group, also published an essay earlier this month criticising the publication of "exploit code," which allows computer hackers to take advantage of known vulnerabilities.
"It’s high time the security community stopped providing blueprints for building these weapons," he wrote.
However, one independent programmer who was behind identifying several high-profile security holes, says he had doubts that the initial proposal for the industry group will address the core problem behind malicious attacks on software.
"I'm not sure if any hard and fast guidelines are particularly useful," says Marc Slemko, a Seattle-based developer, adding that a 30-day grace period could backfire and take pressure off software makers to fix problems quickly and accurately.
"Some don't have a user's best interest in mind," he says.
Earlier this month, Slemko published technical findings of an exploit he discovered in Microsoft's Passport authentication service three days after he made Microsoft aware of the problem and two days after it was fixed. Slemko has a history of airing security flaws including one in September that he says left Verizon Wireless vulnerable to exploits.
"It certainly is true that there are certain individuals that go about releasing security holes in ways that are not designed in the best interest of the companies or the users of that software," Slemko says. "While I don't see any obligation to consider these guidelines seriously, there are some societal responsibilities to the users of the products"
Guardent's Schwartz stressed that the proposals from the new group will also force the software makers to act more responsibly.
"They're going to be under more pressure because they're going to have reporting requirements to follow," Schwartz says.
Microsoft agreed during the conference that it must be more responsible to ensure security in its products, he says.
"Obviously, Microsoft has some interest in this -- their customers are getting beaten up," he says.