Site icon IT World Canada

OpenSSL Project details vulnerability alert policy

Heartbleed update: Things are better

Image from Shutterstock.com

The group behind the OpenSSL cryptographic library that enables Web site encryption says it doesn’t give advance notice of vulnerabilities to any organization, no matter how much they charge.

“We strongly believe that the right to advance patches/info should not be based in any way on paid membership to some forum. You can not pay us to get security patches in advance,” the OpenSSL Project said in a security policy guideline published Sept. 7.

“We may withdraw notifying individual organisations from future prenotifications if they leak issues before they are public or over time do not add value” by, for example,  providing feedback, corrections and test results.

“It is not acceptable for organisations to use advance notice in marketing as a competitive advantage,” the statement adds. “For example “if you had bought our product/used our service you would have been protected a week ago”.

OpenSSL enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption in a wide range of applications, from secure Web sites to car systems.

OpenSSL came to the world’s attention last spring with the discovery of the Heartbleed vulnerability. But the project says “there are actually not a large number of serious vulnerabilities in OpenSSL which make it worth spending significant time keeping our own list of vendors we trust, or signing framework agreements, or dealing with changes, and policing the policy. This is a significant amount of effort per issue that is better spent on other things.”

As for its policy on handling security issues, the project said it will determine the risk of each issue, dividing them into three categories:

The openssl-announce list will be notified of upcoming fixes with a scheduled update release date and time and the severity of issues being fixed by the update. No futher information about the issues will be given. The goal is to ensure organizations have staff available to handle what the announcement means.

For updates that include high severity issues there will be a pre-notification announcement with more details and patches.

The notice also said that not all security issues come to the project directly; some come from third parties such as companies that pay for vulnerabilities, some come from country CERTs. They may follow a different style of notification.

Exit mobile version