|
For Immediate Release
Organization for Internet Safety Issues Public
Comment Draft
for Security Vulnerability Reporting and Response Guide
June 4, 2003 The Organization for Internet
Safety (OIS), an alliance of leading technology vendors, security
researchers and consultancies, today announced it has developed a
preliminary draft of best practices for reporting and responding to
security vulnerabilities. During the next 30 days, OIS members will
actively reach out to researchers and vendors in the technology
community to gain broad public comment on the proposal. The draft,
Security Vulnerability Reporting and Response Guide, is available for
free download via the OIS website at www.oisafety.org/.
The OIS was founded on the principle that widely accepted processes will
allow security vulnerabilities to be handled in a way that reduces the
dangers of security breaches, and helping security vendors and
researchers more effectively and efficiently protect Internet users and
critical infrastructures. Members of OIS include @stake, BindView Corp.,
The SCO Group, Foundstone, Guardent, Internet Security Systems, Inc.,
Microsoft Corp., Network Associates, Oracle Corporation, SGI and
Symantec. Each of these global network security companies and technology
vendors is committed to developing common processes and best practices
that will make it easier for security researchers and vendors to resolve
and report security issues.
The draft proposes a process in which researchers and vendors work
together to investigate and remedy security vulnerabilities, then
jointly provide guidance to help users maintain the security of their
systems. It provides specific, prescriptive guidance that establishes a
framework in which researchers and vendors can collaborate to improve
the speed and quality of security investigations, thereby helping better
protect Internet users and infrastructures.
“With the rampant increase in security vulnerabilities, it’s important
for security researchers and industry leaders to work together to help
solve vulnerability problems quickly and easily,” said Michael
Rasmussen, CISSP, and director of security research at industry research
firm Forrester Research, Inc. “The work of OIS provides a tangible start
in elevating standards for accountability on all fronts and among all
audiences in managing security vulnerabilities.”
Following the 30-day public comment period, the OIS will review
suggestions to create the final process guide. These recommended
processes will be made publicly available at a press conference during
the Black Hat USA 2003 trade symposium and meeting, July 28-31, 2003 in
Las Vegas.
About the Organization for Internet Safety The organization for
Internet Safety (OIS) is a unique alliance between leading technology
vendors, security researchers and consultancies working to propose and
institutionalize industry best practices for handling security
vulnerabilities. The OIS was founded in September 2002 on the principle
that standardized, widely-accepted processes will allow security
vulnerabilities to be handled in a way that reduces the dangers they
pose and will help security vendors and researchers to more effectively
protect Internet users and critical infrastructures. Founding members of
the OIS include @stake, BindView Corp. (NASDAQ: BVEW), The SCO Group
(NASDAQ: SCOX), Foundstone, Guardent, Internet Security Systems, Inc.
(NASDAQ: ISSX), Microsoft Corp. (NASDAQ: MSFT), Network Associates
(NYSE: NET), Oracle Corporation (NASDAQ: ORCL), SGI (NYSE: SGI) and
Symantec (NASDAQ: SYMC).
Contact:
Scott Blake
BindView Corporation
(703) 229-5077
sblake@bindview.com
Yvonne Donaldson
BindView Corporation
(713) 561-4023
yvonne.donaldson@bindview.com
|
© 2003 OIS.