Reducing Security Liabilities

The Organization for Internet Safety -- which includes Internet Security Systems, Microsoft, Network Associates, Oracle and @Stake as members--has devised guidelines for security bug hunters to follow when a vulnerability is found. The group states, "OIS recognizes that the processes will only be adopted if they represent the consensus of the security community." Unfortunately, OIS forgot to invite the very large community of independent researchers to the party.

Some fear that OIS will use the guidelines to silence researchers and disclosure mailing lists. Researchers perceive a threat because these guidelines can be deemed a standard that vendors can use to sue researchers for their findings. But it isn't a big threat: At best, guidelines such as these are viewed as best practices and can't, by themselves, be used effectively in civil or criminal courts because they aren't standards or laws.

This seems like a CYA move. The rumblings that vendors should be held financially or criminally liable for security vulnerabilities are getting louder, and one way vendors can fend off legal action is to show that they have taken reasonable care to remove or fix vulnerabilities. If vendors adhere to a set of published guidelines, it lends support to their argument that they are doing what they can to fix problems.

Post a comment or question on this story.