ICASI, FIRST, NTIA Lead Multi-Stakeholder Effort to Address Security Vulnerabilities More Efficiently and Effectively

 

WAKEFIELD, Mass. – January 11, 2017 – The Industry Consortium for the Advancement of Security on the Internet (ICASI) applauds the FIRST Vulnerability Coordination Special Interest Group (SIG) for making available for public comment the draft Guidelines and Practices for Multi-party Vulnerability Coordination.

 

While ISO standards provide basic guidance on the handling of potential vulnerabilities in products, the Guidelines document is geared to consider more complex and typical real-life scenarios. Case studies start with products in the design stage with no affected users and scale to vulnerability disclosure recommendations for scenarios that require notification to multiple vendors and stakeholders at the same time. The document is targeted at Internet vulnerabilities that have the potential to affect a wide range of vendors and technologies at the same time.  The paper was produced in collaboration with the National Telecommunications and Information Administration (NTIA), which also endorsed the effort.

 

A final draft of the report is open to public comment through January 31, 2017. Comments should be submitted by email to vulcoord-sig-comments@first.org. After the comment period is closed, the Vulnerability Coordination SIG will revise the document and publish a final version.

 

In an increasingly connected world reliant on Internet technology, vulnerabilities in software and hardware can put millions of people and businesses at risk.  The long-term goals of ICASI’s focus around vulnerability coordination have been to facilitate efforts by multi-stakeholders to create a coordinated set of best practices and guidelines people and organizations can implement when a hardware or software vulnerability is discovered. The organization’s partnership with FIRST in this area squarely supports these aims. In addition to multi-party disclosure, the FIRST Vulnerability Coordination SIG is also addressing through future work items the related topics of bi-lateral coordination and notification.

 

“The Vulnerability Coordination SIG was created through a co-sponsorship between ICASI and FIRST because we felt it gave us the ability to bring together the most diverse group of stakeholders to help address the challenges of vulnerability coordination, which is a critical component of incident response,” said Peter Allor, senior cyber security strategist, IBM and ICASI’s President.  “As we’ve seen, the SIG drew expertise and experience from government, business, academia and others to draft the Guidelines and Practices for Multi-party Vulnerability Coordination, which we believe when final will have a truly beneficial impact on protecting critical assets.″

 

About the Vulnerability Coordination SIG

Formed in 2015 and co-sponsored by ICASI and FIRST, the Vulnerability Coordination SIG is a collaboration among security researchers, software and system developers, computer security incident response teams, vendors and others industry stakeholders. Among the group’s goals is to develop and publish a common set of best practices around security coordination, as well as methods for reporting and updating coordination directories.

 

About ICASI

The Industry Consortium for Advancement of Security on the Internet (ICASI) enhances the global security landscape by driving excellence and innovation in security response practices, and by enabling its members to proactively collaborate to analyze, mitigate, and resolve multi-stakeholder, global security challenges. ICASI’s Charter Members are Cisco Systems, IBM, Intel Corporation, Juniper Networks, and Microsoft Corporation, while Amazon, Blackberry, and Oracle are General Members of the organization.

About FIRST

FIRST is the premier organization and recognized global leader in incident response. Membership of FIRST enables incident response teams to respond to security incidents more effectively, reactively as well as proactively. FIRST brings together a variety of computer security incident response teams from government, commercial, and educational organizations. Its aim is to foster cooperation and coordination in incident prevention, to stimulate rapid reaction to incidents, and to promote information sharing among members and the community at large.