Re: CERT, CIAC, etc. and unethical practices

[Catherine.Allen () uniq com au (Catherine Allen)]

> On top of this most people I know who've handed
> things to the CERT(s) not only do not receive a reply, but
> we do not see any visible action taken even after a month or more.

If you're going to say something this inflammatory, please do mention
*which* ERT/IRT you were dealing with.

Having worked at AUSCERT, I can say from experience that all mail is
answered.  Having worked through some bug reports of this sort, I can
also say that the vendors were leaned on very heavily to actually *do*
something about the bug and that fixes were made available asap.

> I
> still do not understand the CERTs' attitudes towards some full disclosure
> groups and many individuals who are mainly interested in getting the holes
> fixed and are perfectly willing/happy to cooperate with vendors and
> CERT(s).

Because they're the poor bunnies who have to deal with all the sites that
get broken into due to published exploit scripts!

(there are generally a rash of sites that get cracked directly after the
publication of an exploit - then there are rashes of follow-on cracks
once the sniffer logs start filling :(

Personally, I consider publishing an exploit to be a sign that you are *not*
willing to work with a vendor (or an IRT).  In effect, an exploit script
reduces the amount of time available to fix a problem to zero, which
encourages quick'n'dirty patches (likely sources of yet more bugs ):

> 8lgm,
> Dave Meltzer

Who've been acknowledged in previous AUSCERT advisories...

        Catherine.