security holes, notification protocols, and a clarification

[tiemann () cygnus com (Michael Tiemann)]

Yesterday, I made a posting that was out of line and non-constructive.
I'm going to try to rectify that.

I'm not against people reporting security holes (or posting information
on the specifics of the vulnerability, up to and including the method of
the attack).  If I implied that, it was my error.

I have been informed that this list exists to serve users who have
become disenchanted with CERT and "the establishment," and hence the
readership values _immediate_ disclosure of _all_ security-related
problems, and I have no complaint about that, either.

My problem is that the posting to the list was not also sent to Cygnus.
Instead, we satisfied another 64 download requests in the time between
the posting to BUGTRAQ and notification by a BUGTRAQ reader to Cygnus,
some 17 hours after the original posting was made.

Within 30 minutes of (delayed) notification, we verified the problem,
shut down our distribution, and began to fix the problem.  The problem
was fixed 2 hours later, and we spent 6 hours last night and another 4
this morning hours verifying the fix for the platforms we support.  We
expect to have the fixed software available for ftp within the next few
hours.  Our start->finish response is expected to be about 19 hours.
The reason it didn't happen faster: we were notified just before the end
of our business day.

Had we been notified _concurrently_ with the BUGTRAQ posting, we'd have
fixed the problem yesterday, and we would not have distributed buggy
software to 64 additional people.

Modulo relativity, I realize that time applies to all of us equally, and
that notifying Cygnus before the public cannot "undo" damage that's
been done.  OTOH, by not notifying Cygnus promptly, we continued to do
damage without knowledge of the fact.  That is what really upset me
yesterday.

Peace (I hope),

M