This site graciously hosted
by our friends at


12 August 2003

The article:  Vendors Offer Plan for Disclosing Software Security Holes - Computerworld

The final version of the process:

To the editor:

Please include us among the "Security researchers [who] say their concerns were ignored" by the grandly-named "Organization for Internet Safety (OIS)".

In our open letter of June 10th, we said that the process:
  1. Pays insufficient attention to the "engineering complexity" of any particular vulnerability.
  2. Does not recognize the critical need for "life cycle" considerations in the design, creation, and maintenance of secure code.
  3. Does not include sufficient enticements to motivate widespread participation.
  4. Is too complicated (and too detailed) to be practical.
Having looked over the final version, we conclude that not only that our concerns (see for the full text) were ignored, but that some were actually exacerbated. The document now runs to 36 pages, for example. Like the process itself, it is so long and so complicated that one must immediately consign it to the "boat anchor" category. (Go ahead, try to read it through! It's at

We had high hopes when we first heard about the project. As security practitioners with decades of experience--and more than a few years in the center ring of the "vulnerability circus"--we were ready for a workable proposal in a collaborative spirit. We suspect now that the point of the exercise was to produce a process to deaden dissent and provide a preemptive defense against liability lawsuits. In any event, the effort is dead on arrival; and that's a low-down dirty shame.

Mark G. Graff
Kenneth R. van Wyk
Authors, Secure Coding

Copyright (C) 2003, Mark G. Graff and Kenneth R. van Wyk. Permission granted to reproduce and distribute in entirety with credit to authors.

Site Contents Copyright (C) 2002, 2003 Mark G. Graff and Kenneth R. van Wyk. All Rights Reserved.