Re: Remote Compromise Vulnerability in Apache HTTP Server

[Florian Weimer <Weimer () CERT Uni-Stuttgart DE>]

"David Litchfield" <david () ngssoftware com> writes:

> With more people and organisations doing security research, perhaps it is
> time for a Vulnerability Co-ordinator Center (a VCC) - some trusted third
> party like an off-shoot of CERT. I know this is not a new idea and one which
> has been brought up before but one I think should perhaps be discussed again
> and acted upon.

I'm not sure if we should condemn ISS for their alleged wrongdoing.
If two teams independently discover the same vulnerability in the same
timeframe, it is not such a bad idea to go ahead and publish because
you have to assume that pretty soon, irresponsible parties discover
it, too.

An aspect that's interesting, too: Should eEye/Microsoft have
contacted the Apache developers prior to the publication of their
patch/advisories?

> When a vendor is alerted the VCC is CC'd (pun not intentional) and this way
> a co-ordinated full alert can go out when the time is right.

Well, I'm constantly being told that nowadays, handling security
issues requires a business model, and so we are facing questions
whether the VCC may sell early access to its data etc.

Personally, I expect that such a VCC is just another institution to
which you can pay money in order to receive prepublication access
about security issues.

-- 
Florian Weimer                    Weimer () CERT Uni-Stuttgart DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898