The group behind the OpenSSL cryptographic library that enables Web site encryption says it doesn’t give advance notice of vulnerabilities to any organization, no matter how much they charge.
“We strongly believe that the right to advance patches/info should not be based in any way on paid membership to some forum. You can not pay us to get security patches in advance,” the OpenSSL Project said in a security policy guideline published Sept. 7.
“We may withdraw notifying individual organisations from future prenotifications if they leak issues before they are public or over time do not add value” by, for example, providing feedback, corrections and test results.
“It is not acceptable for organisations to use advance notice in marketing as a competitive advantage,” the statement adds. “For example “if you had bought our product/used our service you would have been protected a week ago”.
OpenSSL enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption in a wide range of applications, from secure Web sites to car systems.
OpenSSL came to the world’s attention last spring with the discovery of the Heartbleed vulnerability. But the project says “there are actually not a large number of serious vulnerabilities in OpenSSL which make it worth spending significant time keeping our own list of vendors we trust, or signing framework agreements, or dealing with changes, and policing the policy. This is a significant amount of effort per issue that is better spent on other things.”
As for its policy on handling security issues, the project said it will determine the risk of each issue, dividing them into three categories:
- low severity issues. This includes issues such as those that only affect the openssl command line utility, unlikely configurations, or hard to exploit timing (side channel) attacks. These will in general be fixed immediately in latest development versions, and may be backported to older versions that are still getting updates. We will update the vulnerabilities page and note the issue CVE in the changelog and commit message, but they may not trigger new releases.
- moderate severity issues. This includes issues like crashes in client applications, flaws in protocols that are less commonly used (such as DTLS), and local flaws. These will in general be kept private until the next release, and that release will be scheduled so that it can roll up several such flaws at one time.
- high severity issues. This includes issues affecting common configurations which are also likely to be exploitable. Examples include a server DoS, a significant leak of server memory, and remote code execution. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control, and significantly quicker if there is a significant risk or we are aware the issue is being exploited.
The openssl-announce list will be notified of upcoming fixes with a scheduled update release date and time and the severity of issues being fixed by the update. No futher information about the issues will be given. The goal is to ensure organizations have staff available to handle what the announcement means.
For updates that include high severity issues there will be a pre-notification announcement with more details and patches.
The notice also said that not all security issues come to the project directly; some come from third parties such as companies that pay for vulnerabilities, some come from country CERTs. They may follow a different style of notification.