The OIS will have little or no impact on the distribution of vulnerability information. First, they would have to
buy Bugtraq (oops too late) and every other community resource for sharing this information (not going to happen).

Second, they will have to generate new vulnerability information themselves, either by buying it, or dedicating resources to developing it.

Given that the business models of all of these companies have nothing to do with leverging 0-day exploits in any meaningful way (eg. other than putting them in scanner tools), there is no reason to dedicate a team of researchers to someone elses code (M$) unless the
vendor is paying them.

So, since it is not cost effective to have your $90kUSD security programmer write overflows for IIS all day, the OIS will not be developing any more new exploits than they did previously.

The vast majority of exploits published over the last 6 years have conspicuously not been from the vendors who are now in the OIS.

The only value that I can see in having such an organization is so that M$ and other vendors can more freely distribute information and code to the group under NDA, and avoid having to actually tell their customers that the patch they are installing has security fixes.

So, maybe these companies are banding together to sell code review services to large software vendors so that their $90k programmers can generate some revenue, while not harming their business relationship with the vendors
when problems are found.

Unless software vendors are paying them to do code security reviews, which they should be anyway, the OIS will not be making the net any safer, for good or for evil.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/120/17011#17011