Organization for Internet Safety

From SourceWatch
Jump to navigation Jump to search

Organization for Internet Safety (OIS) is basically an organization of commercial technology companies claiming to develop policies and procedures to improve computer security, especially how vulnarabilities are released. Although an organization for developing computer security policies would be welcomed, many doubt the motives of OIS.

One example of a source of concern for security professionals is in the OIS FAQ:

Does OIS support pre-disclosure of vulnerability information to select groups?
No. We believe the software author should be given a chance to create a fix before vulnerability information is made public, but that there should be no further distribution of that information until the fix is complete. This priniciple can be very difficult to adhere to in certain situations, such as dealing with the open source community where there aren't protections to keep vulnerability information secret.

The problem with the above principle is that no timeline is stated. The software author has an indefinite period of time to develop a fix, leaving users of the author's product unknowingly vulnerable for an indefinitely time period. Most will agree that the author should be notified first, but if the author fails to develop a fix in a timely matter, the vulnerability can be disclosed to the community so administrators can take preventive action before a fix is made available. This OIS principle puts the needs of the author over its users and the community as a whole.

One of the key members of OIS is Microsoft, a company with a shaky security track record and well-known for resisting admission to vulnerabilities in their products. Many in the computer security community see OIS as front-group lobbying for policies favoring OIS members interests and not those of the community.