Proponents of an effort to standardize the handling of computer security vulnerabilities today aborted the effort after receiving critical comments from reviewers.
In a message today to members of the Internet Engineering Task Force"s Security Area Advisory Group, the authors announced they were withdrawing the draft in response to feedback from members who felt the document was not appropriate for the IETF "since it does not deal with technical protocols."
The proposed standard, laid out in a document called "Responsible Vulnerability Disclosure Process," was submitted last month to the IETF, an Internet standards body, by Steve Christey and Chris Wysopal, security researchers from Mitre Corp. and AtStake, respectively.
The document proposed a set of "best practices" to be used by product vendors, security researchers and others involved in the disclosure of computer security flaws.
Under the proposed standard, discoverers of security bugs will honor a 30-day grace period after reporting a security flaw to a vendor before disclosing details of the vulnerability. Vendors in turn are to acknowledge reports of bugs within seven days, and to set up a special e-mail address for receiving reports.
"There does not appear to be any way to achieve consensus on that issue, regardless of the merits of the current draft or any future document that may attempt to describe disclosure recommendations," said Christey in the message today.
The announcement of the proposed standard"s demise stated that the authors are "currently identifying other forums that may be more suitable for discussion of the current document and future revisions. If we can"t find such a forum, we will create one."
While many security researchers and vendors already follow the practices detailed in the proposed IETF standard,
Some security researchers expressed concerns that codifying a reporting standard could have negative consequences. In a posting to the SAAG mailing list last month titled "Thanks, I am not buying this RFC," Georgi Guninski, a Bulgarian security consultant, stated that the proposed standard could allow vendors to label bug finders as "irresponsible while shifting the focus from their buggyware."