RealNews

Guidelines for reporting security flaws under review

Got any ideas on how to improve the Organization for Internet Safety’s guidelines for reporting and responding to software security flaws? If so, the group wants to hear from you in the next 30 days. The OIS — an alliance of IT vendors and analysts formed in 2002 to develop a standard approach to handle security vulnerabilities — has started an annual review of the guide it first released last summer. The guide is essentially a code of conduct between vendors and analysts. It’s designed to ensure vendors respond to a researcher’s notification of a software vulnerability within days and attempt to create a patch within a month; and that researchers give vendors time to make fixes available before releasing details of the flaw. Since its release, OIS has been asked to shorten and streamline the guidelines and ensure they are consistent with the recommendations made by several public-private partnerships, said Scott Blake, a member of OIS and vice president of information security at Houston-based software company BindView Corp. Full Story

OODA Analyst

OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.