Organisation for Internet Safety launched

A Microsoft-backed security organisation set up almost a year ago has finally had its formal launch.

Inaugurated last year at the Trusted Computing forum, the Organisation for Internet Safety (OIS) was charged with creating a set of guidelines for handling the disclosure of flaws and vulnerabilities in software.

The founders, which included Microsoft, @stake, Guardent, Bindview and Foundstone, favoured a standard that limited the public disclosure of security vulnerabilities.

It was announced today that Caldera/SCO, Oracle, SGI, Symantec and Network Associates have also jumped on board.

The organisation expects to release drafts of its guidelines in early 2003.

But when it was first suggested last autumn, the OIS was criticised by members of the security industry who suggested that a limited disclosure standard could be used as a stick with which to beat other researchers into line.

Some experts claim that limited public information will let vendors take their eyes off the ball when it comes to releasing patches.

The other side of the coin is that limited disclosure disarms the script kiddies and cyber vandals by not giving them an exploit on a plate.

John Pescatore, vice president for internet security at Gartner, said: "It's increasingly important to our critical infrastructure, as well as to individual computer users, that security vulnerabilities be avoided when developing software.

"But where they occur they need to be found and eliminated as effectively as possible. Industry consensus processes are a needed step towards making this happen."

A similar proposal, known as the Responsible Disclosure Process, which was more in favour of full disclosure, was rejected by the Internet Engineering Task Force (IETF) earlier this year.

The OIS proposal was taken on board by the IETF and will be opened to public review and comment before being considered for adoption as an official standard.