November 15, 2001, 12:00 AM — A collection of security companies have formed a group to create
standard policies and guidelines for how information about software
security flaws is distributed and published. Created during a series of
workshops at Microsoft Corp.'s three-day Trusted Computing Forum this
week, one of the proposed guidelines would restrict those who find
flaws in software products from publishing the methodology on how to
exploit those holes for 30 days.
"The main concept is one of acting responsibly with respect to the
disclosure of and fixing of vulnerabilities," said Eddie Schwartz,
senior vice president and chief operating officer for security company
Guardent Inc. "Right now, it's the wild wild west and even well
intentioned people don't know what to do."
The group proposed creating a "grace period" in which companies could
plug any exploits and distribute patches and tools to customers without
fear of any further exploits of the holes. The group will also create a
set of procedures that software makers must follow to ensure that users
are informed about risks and that vulnerabilities are fixed in a timely
The group was initially backed by six companies, including Microsoft,
which was the first software maker to come on board. It will urge
independent security researchers, as well as major technology companies
like Hewlett-Packard Co. and Sun Microsystems Inc. to join, Schwartz
said. Founding members include @stake Inc., Internet Security Systems
Inc., Bindview Corp. and Foundstone Inc.
The issue is one that Microsoft is close to, as it has recently found
itself responding to security holes discovered in its products. The
company issued a security bulletin Thursday warning that information
about "cookies" in its Internet Explorer 5.5 and 6.0 browsers can be
exposed or altered, making personal information vulnerable.
Craig Mundie, Microsoft's chief technology officer for advanced
strategies, addressed similar security issues during the first day of
the Trusted Computing Forum Tuesday. Mundie went as far as comparing
the malicious coders who have exploited holes in Microsoft's software
to the terrorist cells behind the attacks on the U.S.
"The evolution of hacking is very, very akin to this network of terror
cells," he said at the forum.