Hackers, security consultants and large computer companies have made their first attempt at producing guidelines for how software bugs should be dealt with in future.
The Organisation for Internet Safety has released draft guidelines for a month-long public consultation after which it hopes the confusing and sometimes damaging world of bugs and security holes can be given some form of clarity.
The guidelines cover procedures and protocols from the discovery of a bug, to informing the company concerned, to the production of a patch, and finally the time given after the patch is released until the information is released to the public.
It basically breaks down as this: researcher/hacker finds bug/security hole and informs company confidentially to a specific email address. That company has seven days to respond. It then has 30 days to produce a patch and release it. It then has a further 30 days for the patch to take hold before the researcher/hacker is allowed to release details of the bug/hole to the public.
While the aims of the guidelines are laudable, whether they will meet approval and then if they are actually adopted by the rest of the industry is an entirely different matter. The OIS is viewed with suspicion by many and perceived as largely a corporate attempt to control information.
The OIS describes itself as "a unique alliance between leading technology vendors, security researchers and consultancies working to propose and institutionalise industry best practices for handling security vulnerabilities". Its members include Microsoft, Oracle, Network Associates, Symantec, Oracle, SCO on one side and @stake, BindView, Foundstone, Guardent and Internet Security Systems on the other.
However, Mark Litchfield of NGS Software - a company which he claims put out more advisories last year than most of the other security consultants put together - is not at all sure. "What OIS set out to do is a good thing but they need to bring in more small, independent companies and shake off the corporate image if they are to become respected and successful," he told us. Mark doesn't see the guidelines as affecting him since NGS tends to work confidentially with vendors until the problem is sorted out, so release times are not strictly relevant.
However, anything that helps build more trust and understanding between hackers, security experts and software companies will benefit not only them but also the consumers. If implemented, the guidelines would give companies time to respond to bugs but conversely it may also encourage companies to do something about their vulnerabilities. Mark Litchfield reveals that one major vendor still has several mission-critical holes in its server despite being told of them over nine months ago.
Plus of course guidelines and constraints will be anathema to many young hackers who view posting details of an exploit as just reward for their efforts. Despite claims otherwise, it is this getting-one-over and public glory that drives a lot of bug finders.
The OIS guidelines are going to have a difficult birth.