Open response to draft OIS proposal for handling vulnerabilities

From: Kenneth R. van Wyk (ken_at_VANWYK.ORG)
Date: 06/17/03

  • Next message: Chip Andrews: "Re: NetSDK vulnerable to SQL Slammer"
    Date:         Mon, 16 Jun 2003 21:27:30 -0400

    As many of you NTBugtraq regulars probably know, the Organization for Internet
    Safety (OIS) recently posted a draft proposal for the safe disclosure of
    security vulnerabilities in software products. (The full proposal is at, FYI)

    In addition to having just finished writing an O'Reilly book on the topic of
    secure coding practices (, my co-author, Mark
    Graff, and I have each spent several years fighting vulnerabilites -- he as
    Sun's Security Coordinator and me as a Technical Coordinator at the Carnegie
    Mellon CERT/CC. We've seen at least two of the major perspectives of the
    "vulnerability circus" quite closely. As such, we feel quite strongly that
    the OIS proposal has some fundamental flaws at various levels, and have
    published an open response to it. For those interested, our response is
    available at


    Ken van Wyk
    Co-Author, Secure Coding: Principles and Practices (O'Reilly, 2003)

    Delivery co-sponsored by TruSecure
    Free 14-day trial of New Threat & Vulnerability Notification Service

    TruSecure's new IntelliShield(tm) web-based threat and vulnerability
    service isn't your typical alert service. Supported by TruSecure's vast
    intelligence resources - including the ICSA Labs - IntelliShield's early
    warning, analysis, decision support, and threat management tools provide
    organizations with unmatched intelligence to better protect critical
    information assets. Experience it for yourself - just click below to begin
    your free, no obligation 14-day trial today!


  • Next message: Chip Andrews: "Re: NetSDK vulnerable to SQL Slammer"