Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

N E W S / A N A L Y S I S

Reducing Security Liabilities

July 10, 2003
By Mike Fratto

	Issue TOC
	Print full article
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

The Organization for Internet Safety -- which includes Internet Security Systems, Microsoft, Network Associates, Oracle and @Stake as members--has devised guidelines for security bug hunters to follow when a vulnerability is found. The group states, "OIS recognizes that the processes will only be adopted if they represent the consensus of the security community." Unfortunately, OIS forgot to invite the very large community of independent researchers to the party.

Some fear that OIS will use the guidelines to silence researchers and disclosure mailing lists. Researchers perceive a threat because these guidelines can be deemed a standard that vendors can use to sue researchers for their findings. But it isn't a big threat: At best, guidelines such as these are viewed as best practices and can't, by themselves, be used effectively in civil or criminal courts because they aren't standards or laws.

This seems like a CYA move. The rumblings that vendors should be held financially or criminally liable for security vulnerabilities are getting louder, and one way vendors can fend off legal action is to show that they have taken reasonable care to remove or fix vulnerabilities. If vendors adhere to a set of published guidelines, it lends support to their argument that they are doing what they can to fix problems.

Post a comment or question on this story.