Bug alert firm fights critics with new guidelines

In a move aimed at quieting critics, network protection company Internet Security Systems has come up with a set of guidelines which explain how it will warn the public of flaws in companies' software.

The company faced loud complaints last April after it released news of a security hole in the popular open-source web server software Apache, having given the application's developers only a few hours to respond. Two times since then, the company's policy on the timing of advisories has been questioned by its peers.

Chris Rouland, director of ISS's vulnerability research and analysis team, said that he hopes that publicly stating the company's policy and adhering to it will fend off complaints in the future. "We have had perception problems," he said.

While ISS has in the past followed a disclosure policy similar to the one released on Monday, it is introducing a major change: the company will treat developers of open-source software, such as Apache, the same as proprietary developers, such as Microsoft.

"That's where we had some problems before," Rouland said.

The guidelines say ISS will wait 30 days after notifying a software firm of a vulnerability before going public. However, while the company has habitually alerted America's National Infrastructure Protection Center - the FBI's cybersecurity task force - of any flaw that it finds, the guidelines don't require it to tell third-parties about software bugs that affect security. Normally, security researchers will notify NIPC and Computer Emergency Response Team (CERT) Coordination Center, a clearinghouse for information about vulnerabilities.

"We have found the best way is that the licensor of the software should notify the licensees," Rouland said. "We don't have a complete list (of software providers), so we don't want to leave anyone out."

This issue is mainly one for open-source developers. Linux users, for example, will frequently go to the company that sells a particular Linux distribution, such as Red Hat, for a bug fix rather than to the actual developer, such as the Apache Foundation.

Many companies such as Red Hat are members of CERT and could get advisories through that organisation's alert system. However, ISS doesn't yet have an agreement in place to inform such third-parties.

"Multivendor, open-source security advisories are always challenging, and we are going to look to vendors to notify their downstream providers of their issues," Rouland said.

The policy conforms with a draft set of guidelines recommended by the Organization for Internet Safety, a group formed by Microsoft and several security companies, among them ISS.

Robert Lemos writes for News.com