Organization for Internet Safety

About Organization for Internet Safety

	What companies are members of OIS?
	The current members are: @stake, BindView, Caldera International (The SCO Group), Foundstone, Guardent, ISS, Microsoft, NAI, Oracle, SGI, and Symantec. We're actively soliciting software vendors and security research companies to join.

	Why was the OIS formed?
	OIS was formed to make it easier for security researchers and vendors to work together to fix security vulnerabilities. Today, there are no agreed-upon processes for handling security vulnerabilities. Every vendor has different expectations about how security researchers should report newly discovered vulnerabilities, the amount and type of information they should provide, and so forth. Likewise, every security researcher has different expectations about how often a vendor should provide status on ongoing investigations, give credit to the finder, and so forth. The lack of any consensus procedures complicates the process of fixing vulnerabilities, and ultimately increases the risk that all computer users face. OIS was formed as a unique partnership between leading security researchers and vendors, for the purpose of proposing such processes.

	Can individual researchers join OIS?
	OIS is currently made up of companies or organizations. We originally excluded individual researchers on the basis of maintaining equity between the representation of research and vendor communities. Recently, however, we have been reconsidering that decision, though no new decision has been reached. Since the OIS launched, we have been overwhelmed by requests for membership and are deliberating on the best way to address the outpouring of interest. Participation in the mission of the OIS, developing and promulgating guidelines for handling vulnerability information, does not require membership, however. All interested parties will be strongly encouraged to participate in the review and comment process once the draft guidelines are released.

	How will OIS ensure that the processes actually meet the needs of the security community?
	OIS recognizes that the processes will only be adopted if they represent the consensus of the security community. As a result, OIS is committed to public review and comment on all proposed processes.

	Why does OIS think anyone will adopt the processes it develops?
	It's our shared experience that the vast majority of security professionals and vendors want to handle security vulnerabilities in a way that minimizes the risk they pose. We believe that if we help provide a tool that lets them do this more effectively, they'll use it.

	Does the OIS plan to make these processes mandatory in some way?
	Absolutely not. These are best practices, not laws, and people will always be able to choose whether to use them or not.

	Does OIS support a federal law codifying the disclosure process?
	No. We believe the industry should self-regulate and are attempting to move along the process of self-regulation.

	Is OIS affiliated with any national governments?
	No. Although many governments are concerned about the need to protect critical infrastructures, and support private industry efforts that hold the promise of doing this more effectively, OIS is entirely a private enterprise conceived and executed by the member companies.

	I heard that OIS was just a smokescreen by which vendors plan to hide their security vulnerabilities. Is this true?
	No. Clearly, any process that put demands on security researchers but not on vendors wouldn't be adopted by the security community. The processes the OIS is developing will apply to both vendors and researchers, and require commitments from both. The goal is to make all of our processes consistent, transparent, and effective.

	Does OIS support pre-disclosure of vulnerability information to select groups?
	No. We believe the software author should be given a chance to create a fix before vulnerability information is made public, but that there should be no further distribution of that information until the fix is complete. This priniciple can be very difficult to adhere to in certain situations, such as dealing with the open source community where there aren't protections to keep vulnerability information secret.

	Does OIS exchange non-public vulnerability information amongst its membership?
	No. The OIS Code of Conduct prohibits the distribution of vulnerability information to anyone other than the discoverer and the software author.

	What does OIS think about the auctioning or selling of non-public vulnerability information?
	We believe that it is unethical to intentionally make one person more vulnerable than another. Pre-release communities distribute the information too broadly for it to be kept secret. Once the word is out to some, the risk of exploit increases dramatically, but many people still don't know about the problem. While we have no illusions about the possibility of the vulnerability being known outside the vendor and researcher, we prefer not to add to that problem.

	Will the processes be industry standards?
	It's difficult to say at this point. Because the processes we're developing are human processes, rather than technical specifications, it's not clear whether they'll be eligible to be adopted by an industry standards body. We're still investigating the best way to publish and host them.

	Why did the IETF reject the Responsible Disclosure Internet Draft as a standard?
	The IETF did not think of itself as the proper venue for a non-technical procedural standard.

	What's the advisory board?
	The member companies want to ensure that we're representing the interests of computer users, and to do that we've asked some of the leading security voices to help us do this by joining our advisory board. The board is still being formed, but we hope to include among its members recognized security experts as well as representatives from companies that operate some of the world's largest networks and therefore have a keen sense for security issues.

	What is the OIS code of conduct? How does it relate to the responsible disclosure policies and procedures that OIS is creating?
	The code of conduct outlines some of the fundamental issues of responsible disclosure that the members of OIS agree upon. It is likely that its spirit will be embodied in more detailed policies and procedures that OIS is working on. OIS encourages vendors and researchers to adopt a similar code of conduct.

	OIS's code of conduct prohibits publishing "proof of concept" code. How are customers going to be able to know that the fixes are working? How are IDS vendors going to create a signature for the vulnerability?
	While those examples are ethical and legal uses for "proof of concept" code, there are unfortunately very dangerous and illegal uses for that code, such as the easy creation of malicious tools and worms. OIS is concerned about Internet safety as a whole. It may be true that a small number of sophisticated administrators can make beneficial use of "proof of concept" code, but its publication puts the vast number of internet users at serious risk.

	Why all this effort on standardizing disclosure? Why not just build the software more securely in the first place? Where are the secure software standards?
	The vendors and security companies that are part of OIS heartily agree that software needs to be built more securely in the first place. Efforts are underway at many vendors to improve the security of their products when they ship. Many of the security companies work with software developers to help them design and test their products for security before they are delivered to customers.