Public Review and Comment Period for Updated OIS Guidelines

Last Summer, the Organization for Internet Safety released Guidelines for Security Vulnerability Reporting and Response V1.0, outlining recommendations for effectively identifying, investigating and remedying security vulnerabilities in software products. To ensure that the document remains timely and relevant, the Guidelines task the OIS membership with reviewing and updating them at least every two years. The OIS is pleased to announce that the first such review is now underway, and invites all interested people and organizations to provide comments and suggestions for improving the Guidelines.

The OIS is grateful for the many suggestions we have already received. Companies and individuals who have implemented the Guidelines have given us valuable feedback on their experiences; we solicited comments and suggestions from subject matter experts throughout the security community; and other interested people have suggested improvements. In addition, two public-private partnerships have recently published reports with recommendations pertaining to vulnerability handling: the National Infrastructure Advisory Council’s Vulnerability Disclosure Framework: Final Report and Recommendations by the Council, and the National Cyber Security Partnership's Improving Security Across the Software Development Life Cycle, which recommended the adoption of the OIS Guidelines as an industry benchmark.

To streamline the review process, we have drafted an intermediate version of the Guidelines that addresses the feedback we have received to date. We recommend reviewing this draft, Version 1.5, which is hosted on our web site at http://www.oisafety.org/review/draft-1.5.pdf rather than the original Version 1.0 Guidelines. A listing of the major changes made in Version 1.5 is available at http://www.oisafety.org/review/changes-1.5.html. Reviewers who prefer to provide feedback on Version 1.0 are certainly welcome to do so.

An email address, feedback@oisafety.org, has been set up for the review. Although we cannot reply to individual mails, we are committed to reading and considering all comments we receive. The closing date for the public review will be 24 June 2004, and the updated Guidelines will be released later in 2004.