Security and IT Industry Leaders Form Organization for Internet Safety

New Alliance Will Propose Best Practices for Handling Security Vulnerabilities

Sept. 26, 2002 — The Organization for Internet Safety (OIS), a unique alliance of leading technology vendors, security researchers and consultancies, today announced its formation. The OIS was formed to propose and institutionalize industry best practices for handling security vulnerabilities to ensure that security and technology vendors, and security researchers, can more effectively protect Internet users. Founding members of the OIS include @stake, BindView Corp., Caldera International, Inc. (The SCO Group), Foundstone, Guardent, Internet Security Systems, Inc., Microsoft Corp., Network Associates, Oracle Corporation, SGI and Symantec.

Currently, there are no widely accepted industry best practices for reporting and managing security vulnerabilities. The absence of common processes and best practices can make it extremely difficult for security researchers and vendors to efficiently resolve security issues and keep Internet users and security professionals informed and armed with the most up-to-date security tools. The OIS is founded on the principle that standardized, widely-accepted processes will allow security vulnerabilities to be handled in a way that reduces the dangers they pose and will help security vendors and researchers to more effectively protect Internet users and critical infrastructures.

OIS is actively working to develop guidelines for handling vulnerability information that will be useful for security researchers and technology vendors alike. The organization expects to release drafts of the standards in early 2003.

As part of the OIS, an Advisory Board is being formed that will consist of global network security managers, who can provide unique insight into the needs of computer users and infrastructure providers. The Advisory Board will work with the OIS to validate processes that the group develops. Advisory Board members will be nominated and approved by OIS members and will serve for one year. OIS expects to begin announcing Advisory Board members in early 2003.

“It's increasingly critical – to our critical infrastructure as well as to individual computer users – that security vulnerabilities be avoided when developing software, but where they occur they need to be found and eliminated as effectively as possible,” said John Pescatore, Vice President for Internet Security at Gartner, Inc. “Industry-consensus processes are a needed step toward making this happen.”

The OIS held its first official meeting at the RSA Conference 2002 in San Jose, Calif., in February. The group has completed its charter and bylaws, and is now working to prepare draft standards for vulnerability reporting. These standards will undergo public review before being finalized.

About the Organization for Internet Safety
The Organization for Internet Safety (OIS) is a unique alliance between leading technology vendors, security researchers and consultancies working to propose and institutionalize industry best practices for handling security vulnerabilities. The OIS was founded in September 2002 on the principle that standardized, widely-accepted processes will allow security vulnerabilities to be handled in a way that reduces the dangers they pose and will help security vendors and researchers to more effectively protect Internet users and critical infrastructures. Founding members of the OIS include @stake, BindView Corp. (Nasdaq: BVEW), Caldera International, Inc. (The SCO Group) (Nasdaq: SCOX), Foundstone, Guardent, Internet Security Systems, Inc. (Nasdaq: ISSX), Microsoft Corp. (Nasdaq: MSFT), Network Associates (NYSE: NET), Oracle Corporation (Nasdaq: ORCL), SGI (NYSE: SGI) and Symantec (Nasdaq: SYMC).

Contact:


Scott Blake
BindView Corporation
(703) 229-5077
sblake@bindview.com


Keri P. Mattox
FitzGerald Communications
(617) 488-9500
kmattox@fitzgerald.com