Security tools vendor ISS has promised to handle security vulnerabilities affecting open source and Windows platforms the same way following criticism of its premature disclosure of open source security problems.

In recent months, sections of the security community allege that ISS has jumped the gun in releasing information on flaws within a Solaris font daemon, BIND and (most notably) Apache ahead of the widespread availability of a fix. Critics argue ISS acted out of self-promotion rather than the interests of the wider Internet community.

ISS strongly denies this but admits to mistakes in its approach which it addresses through revised vulnerability disclosure guidelines.

Previously, ISS handled open source vulnerability it unearthed on a "case by case basis" but now it will handle Windows and open source platform the same, normally allowing vendors 30 days to respond to problems before publicising them. ISS' X-Force (security researcher team) guidelines for responsible disclosure contain a four-phase process, which includes the initial discovery phase, vendor notification phase, customer notification phase and public disclosure phase.

[ Read more ]

Related items

• Security Database - Company: Internet Security Systems (12 May 2002)