All bugs are created equal

Thursday, 12 December 2002, 11:41 AM EST

Security tools vendor ISS has promised to handle security vulnerabilities affecting open source and Windows platforms the same way following criticism of its premature disclosure of open source security problems.

In recent months, sections of the security community allege that ISS has jumped the gun in releasing information on flaws within a Solaris font daemon, BIND and (most notably) Apache ahead of the widespread availability of a fix. Critics argue ISS acted out of self-promotion rather than the interests of the wider Internet community.

ISS strongly denies this but admits to mistakes in its approach which it addresses through revised vulnerability disclosure guidelines.

Previously, ISS handled open source vulnerability it unearthed on a "case by case basis" but now it will handle Windows and open source platform the same, normally allowing vendors 30 days to respond to problems before publicising them. ISS' X-Force (security researcher team) guidelines for responsible disclosure contain a four-phase process, which includes the initial discovery phase, vendor notification phase, customer notification phase and public disclosure phase.

[ Read more ]

Related items




Spotlight

Patching: The least understood line of defense

Posted on 29 August 2014.  |  How many end users, indeed how many IT pros, truly get patching? Sure, many of us see Windows install updates when we shut down our PC and think all is well. Itís not.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 2nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //