The group, which would be geared toward researchers and not software vendors, would provide guidelines on vulnerability disclosures and would lobby against legislation that could stifle security researchers' ability to tinker with software. Nearly three-dozen people have pledged financial support to help get the yet-unnamed group started, said Thor Larholm, senior security researcher for PivX Solutions.
"Initially, what has disturbed me was all the special-interest organisations created by vendors for vendors," he said. "We want to do something for security researchers, and it's not just about disclosure policy, but about helping and supporting researchers."
The move, first publicly proposed on Tuesday to a security mailing list, is the latest by hackers and security researchers to fight off corporate public relations and government policies that aim to suppress information about vulnerabilities from the public.
Security researchers and hackers have long worried that companies may succeed in using the controversial Digital Millennium Copyright Act (DMCA) to quell their reports of vulnerabilities in software products. Several companies--including Adobe Systems, Diebold Election Systems, GameSpy, Hewlett-Packard and SunComm Technologies--have used the DMCA to go after amateur and professional researchers who have found flaws in their products. A criminal case, which resulted in the conviction of a system administrator on a single charge of computer crime, was recently overturned, but only after the researcher involved served out his 16-month sentence.
Any group that represents the interests of vulnerability researchers could counter the Organization for Internet Safety--a group founded by Microsoft and several security firms that perform work for the software giant--which has proposed guidelines for the responsible disclosure of flaws.
The new group would help security experts contact software makers, make sure they are credited for their work, lobby against legislation that blocks research, and in some cases, act as a proxy between researchers and companies.
"The vast majority of researchers are reporting vulnerabilities on a completely voluntary, non-contractual, noncommissioned basis, freely helping the vendor to secure their products," Larholm said in an e-mail to the security mailing list. "A lot of people have proposed organisations that deal with one or another of these aspects, though not all."
The public disclosure of software vulnerabilities originally gained momentum in the early 1990s, because operating system and application makers did not always respond to people who found security holes in their products. By telling the public about the security problems, the researchers ensured that software makers couldn't ignore the issue.
Many companies, such as Microsoft, hope to set guidelines for the responsible disclosure of vulnerabilities. Larholm said any group would make sure that the vulnerability researchers' interests also are considered.
"Establishing an organisation that represents security researchers is not just for the good of the researchers themselves, it is for the good of the community and industry as a whole," he wrote in the e-mail.
I think that such an organisation is an absolute necessity. It’s unfortunate that the little ppl could be charged for discovering flaws in software and reporting them to the rest of the community. If companies don’t like the idea then don’t sell software with flaws. The trend is that software companies release there software without warranty and without accepting responsibility for damage that it may cause.
If a company wants to release software with such a license then they will have to accept that there is a large community out there that will try to discover damaging flaws in the software and inform the rest of the community so that they can take action to prevent them from being effected by it.
In the event that legislation prevents us from discovering these flaws and reporting them then I say legislation needs to be put in place that prevents companies from distancing themselves from the damage that their software can cause. This means that if a cracker breaks into a system and causes damage then not only the cracker but also the company responsible for the software should be liable for any and all damages caused by the action. The same goes for flaws in the software that may cause damage in the absence of a third party cracker. Companies should be held fully responsible for any damage that may be caused by faulty software or accept that we will find and report faults in it.
Discovering flaws in software and reporting them in my opinion comes under the headings. (Self preservation/defence and that of our fellow consumers, Competition and quality assurance)
Any attempt to inhibit these activities is a sign that software companies are trying to cut costs by relaxing software quality standards and using the law to hide flaws in the software. (ie. Ripping their customers off and allowing damage to occur at the expense of there customers)
The best quality control system is 100,000+ individual users/companies locating flaws and reporting them so that action can be taken to protect themselves from damages that may occur and software companies can take action to fix the problems. Without this community software companies are free to distribute faulty software and will lead to a poor software market.
Maybe we should just send software companies the bill for our hard work aimed at strengthening their software and protecting ourselves from their flaws and poor quality control.