Organization for Internet Safety Issues First Annual
Public Comment Draft for
Security Vulnerability Reporting and Response Guide

National Cyber Security Partnership Task Force Recommends Guidelines

Houston — May 25, 2004 — The Organization for Internet Safety (OIS), an alliance of leading technology vendors, security researchers and consultancies, announced today it has opened the first annual review of recommended best practices for reporting and responding to security vulnerabilities. OIS members will begin proactive outreach to solicit comments from experts in the vendor and security researcher communities for its 2004 Security Vulnerability Reporting and Response Guide, which is available for download at no cost on the OIS Web site at www.oisafety.org.

The timeliness of this review was underscored this month when the National Cyber Security Partnership Task Force issued a report titled, “Improving Security Across the Software Development Lifecycle,” which is available from http://www.cyberpartnership.org/init-soft.html and recommends widespread adoption of the OIS guidelines. Specifically, the report noted, “OIS has drafted a set of voluntary guidelines for behavior that promotes greater cooperation, predictability and accountability than is generally extant today. Broad adoption of these guidelines would lead to more effective interactions and result in more rapid and effective response to identified vulnerabilities.” By regularly conducting public reviews such as this, the OIS hopes to ensure that the Guidelines remain useful and relevant to the security community and, most importantly, to the millions of computer users who are the ultimate beneficiaries of effective computer security practices.

Founded in 2002 to help steer, propose and institutionalize best practices for handling security vulnerabilities, the OIS issued its first edition of the Guidelines in July 2003. OIS members expect to update the document annually.
OIS member companies include @stake, BindView Corp., Foundstone, Internet Security Systems, Inc., Microsoft Corp., Network Associates™, Oracle Corp., The SCO Group, SGI and Symantec.

“The threat posed by security vulnerabilities is clearly spotlighted in the national agenda,” said Paul Kurtz, executive director, Cyber Security Industry Alliance. “The OIS is making a concerted effort to bring standards of accountability and best-practices consensus for security researchers and software companies alike, raising awareness of these critical issues.”

The OIS will review suggestions made during the 30-day public comment period for its second annual guide, which is planned for availability in mid-July.

About the Organization for Internet Safety
The Organization for Internet Safety (OIS) is a unique alliance between leading technology vendors, security researchers and consultancies working to propose and institutionalize industry best practices for handling security vulnerabilities. The OIS was founded in September 2002 on the principle that standardized, widely-accepted processes will allow security vulnerabilities to be handled in a way that reduces the dangers they pose and will help security vendors and researchers to more effectively protect Internet users and critical infrastructures. Founding members of the OIS include @stake, BindView Corp. (NASDAQ: BVEW), Foundstone, Internet Security Systems, Inc. (NASDAQ: ISSX), Microsoft Corp. (NASDAQ: MSFT), Network Associates (NYSE: NET), Oracle Corporation (NASDAQ: ORCL), The SCO Group (NASDAQ: SCOX), SGI (NYSE: SGI) and Symantec (NASDAQ: SYMC).
 

For Information Contact:

Scott Blake
BindView Corporation
scott.blake@bindview.com
(703) 229-5077


Yvonne Donaldson
BindView Corporation
yvonne.donaldson@bindview.com
(713) 561-4023

Trademarks
@stake, BindView Corp., Foundstone, Internet Security Systems, Inc., Microsoft Corp., Network Associates, Oracle Corporation, The SCO Group, SGI and Symantec are trademarks or registered trademarks of the respective companies identified above.