Summary of Changes in Guidelines for Security Vulnerability Reporting and Response, Version 1.5

As described in the announcement of the public review period, the OIS members have already received very valuable feedback from a number of people and organizations. We have used this feedback to develop an intermediate version of the Guidelines, which we have labeled Version 1.5 and hosted at http://www.oisafety.org/review/draft-1.5.pdf. We recommend providing feedback on this version, rather than on the original document.

The most frequently received recommendations were that we shorten and streamline the Guidelines, and that we ensure they are consistent with the recommendations made by several public-private partnerships. We have endeavored to do this, through changes such as the following:

• “De-tableizing” requirements. In the original version of the document, requirements were provided in the form of dual-column tables. Many reviewers felt that this wasted space without improving readability. In the Version 1.5 document, requirements are presented as numbered paragraphs, with the requirements for each section grouped in a sub-section titled “Requirements”.
• Removing sample documents. The original version of the Guidelines supplied a number of appendices, containing sample content and format for the Vulnerability Summary Report and other documents. Many reviewers felt these should be provided as separately downloadable documents, and we have done so. When the new version of the Guidelines is posted, these documents will be hosted on the OIS web site.
• Adding diagrams. Many reviewers recommended that we include process flow diagrams to aid the reader in understanding the major steps in the process. We have included such a diagram in each section of Version 1.5.
• Synchronizing with industry working group recommendations. The National Infrastructure Advisory Council (NIAC) and the National Cyber Security Partnership (NCSP) have recently published reports with recommendations regarding the handling of security vulnerabilities, and we have made changes to align the Guidelines with them. For instance, we have adopted the NIAC recommendation to support PGP as a lingua franca for encrypted communications, and the NCSP recommendation to provide methods for anonymously reporting vulnerabilities.

In addition to these major changes, we have also made a number of minor edits to correct grammatical errors, misspellings, incorrect references, and so forth. We have not published an exhaustive listing of every change, as the modifications described above required significant changes to formatting, section numbers, and so forth. However, reviewers who would like such a listing can generate one using any of the many document comparison tools available.