[ this is an idea i'm thinking of starting into a consulting/services business. if people wan't to provide feedback, then silvio@big.net.au ] OPENSOURCE INFRASTRUCTURE SECURITY SERVICES ------------------------------------------- * Provides to its clients, a subscription based service, for the immediate notification and solutions (if possible) for vulnerabilities in infrastructure related software. * Provides in joint with clients, notification and solutions for vendors, who then use these contributions under their own disclosure policy for mainstream public dissemenation under a responsible disclosure policy. * Provides auditing, vulnerability research and solutions for infrastructure related vulnerabilities to satisfy these requirements. -- * Vulnerabilities may be publicly disclosed by the vendor, with or without the knowledge or co-ordination of OSISS. * OSISS does not require knowledge or authorization for clients to consult directly to vendors regarding vulnerability information of OSSISS. * OSISS does not require or desire vulnerability information to be reported to them. It is the duty of OSISS to perform, on its own accord, vulnerability research for which these policices are in place. * All vulnerabilities will be publicly disclosed after a grace period for the vendor if they are not disclosed and openly remedied, under a responsible disclosure policy. * Clients of OSISS are required not to disseminate vulnerability information or solutions reported by OSISS, except when the following occurs --> a) Authorization by Vendor (1) b) Authorization by OSSIS c) Failure of action by either the Vendor or OSSIS to act under a responsible disclosure policy. 1) Does not require OSSIS knowledge or authorization. [ It is recommended that security companies with a financial interest in public dissemination of vulnerabilities for their business, do not subscribe under this premise. ] -- OSISS is not meant to replace your vendor. However, the period of disclosure between discovery, solution, and open access to vulnerabilities is typically large if not indefinate without any disclosure. OSSIS attempts to fill this gap through providing vulnerability research and solutions through auditing, and contributions to infrastructure related software, then immediately notifying subscribers of these facts. Vendor's are still required to disclose as they normally would, nor does OSSIS try to lengthen such a process. OSSIS tries to eliminate the time between discovery, solution, and notification; at the same time, advancing the security of these systems through its research. OSSIS is not an intelligence gathering business. It is a vulnerability notification and solution service for discoveries and research performed by OSSIS. It does not serve to replace current public disclosure, but aims to aid it through research of unknown or non-disclosed vulnerabilites, notifiying and providing soltuions of such information directly to its subscribers and vendors in question. -- All vulnerabilities discovered by OSSIS will be immediately reported to Vendor's in conjunction with clients, along with necessary patches or solutions where applicable. Vendors are require to disseminate this information under a responsible disclosure policiy, else mainstream public disclosure shall be carried out by OSSIS. Vendor's, or individuals are not required nor expected to disclose vulnerability information to OSSIS. If this occurs, the disclosure policy is between that of the disclosuer and vendor of the software in question. OSSIS however, will provide disclosure of these vulnerabilities if no action is performed by either party following a responsible disclore policy, given that the vulnerabity disclosed is disclosed to OSSIS. -- Through a paid subscription to OSISS, clients receive immediate notification and solutions for yet disclosed or known vulnerabilities relevant to infrastrcture software. By requirement, Vendor's will also be immediately notified and provided with solutions. This also, by requirement, means the distribution of such solutions to the public given reasonable disclosure of the Vendor. The subscriber based notification and solutions are expected to be significantly earlier than the Vendor disclosure by design. -- Silvio