<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-Disclosure] Public Review of OIS Security Vulnerability Reporting and Response Guidelines



Nobody trusts the OIS or its motives. I imagine this is similar to the feedback you've gotten from everyone else as well, but Immunity has no plans to subscribe to your guidelines, and is going to oppose any efforts you make to legislate those guidelines as law. In section 1.1 the draft proposes that the purpose of the OIS's model is to protect systems from vulnerabilities. This is fairly obviously untrue - the purpose of the OIS is to lobby towards a business model for Microsoft and the other OIS members that involves the removal of non-compliant security researchers.

This call for feedback is a thinly disguised attempt to get public legitimacy and allow the OIS to claim it has community backing, which it clearly does not.

It's rare, but there are still security companies and individuals who do not owe their entire business to money from Microsoft. It's July 4th. and some of us are Americans who understand the concept of independance.

Dave Aitel
Immunity, Inc.




OIS wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Organization for Internet Safety (OIS) extends an invitation to
the readers of the BugTraq, NTBugtraq, and Full-Disclosure mailing
lists to participate in the ongoing public review of the OIS Security
Vulnerability Reporting and Response Guidelines.
The OIS reviews the Guidelines annually to ensure that they remain
useful and relevant to the security community and, most importantly,
to the millions of computer users who are the ultimate beneficiaries
of effective computer security practices.  Over the past year, OIS
has received feedback from many adopters of the Guidelines as well as
from several public-private partnerships, and have incorporated much
of this feedback into an interim version that is available at
http://www.oisafety.org/review/draft-1.5.pdf.  We recommend reviewing
the interim version, but reviewers are welcome to provide feedback on
the original version at http://www.oisafety.org/reference/process.pdf
if they would like.

For more information on the public review, please visit
http://www.oisafety.org/review-1.5.html.  The closing date for the
review has been extended until 16 July 2004.  We look forward to your
feedback.

Regards,

The Organization for Internet Safety
www.oisafety.org

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQOWQgbF9hclyvjnOEQIhmACfYlaHX2NnJbHUCaCYfMHO4tkGDh0AoMzz
KWNTvxgQVKXiC1OU9CR/rXYF
=4mT/
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html