The main controversy that has surrounded OIS is that many people feel as though the
guidelines have been written by the vendors, for the vendors. Critics have voiced their
concerns that the guidelines will allow vendors to continue to stonewall and deny specific
problems. If the vendor claims that a remedy does not exist for the vulnerability, the
finder may be pressured to not release the information on the discovered vulnerability.
Although controversy still surrounds the topic of the OIS guidelines, they are a good
starting point. If all of the software vendors will use this as their framework, and develop
their policies to be compliant with these guidelines, then customers will have a standard
to hold the vendors to.
Case Studies
The fundamental issue that this chapter addresses is how to report discovered vulnerabilities
responsibly. The issue has sparked considerable debate in the industry for some
time. Along with a simple ???yes??? or ???no??? to the question of whether there should be full
disclosure of vulnerabilities to the public, other factors should be considered, such as
how communication should take place, what issues stand in the way, and what both
sides of the argument are saying. This section dives into all of these pressing issues, citing
case studies as well as industry analysis and opinions from a variety of experts.
Pages:
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187