Bugtraq mailing list archives

ISS Apache Advisory Response

From: "Klaus, Chris (ISSAtlanta)" <CKlaus () iss net>
Date: Thu, 20 Jun 2002 18:06:03 -0400

There has been a lot of misinformation spread about our ISS Apache Advisory
and wanted to clean up any confusion and misunderstanding.
 
1)      Our policy for publishing advisories is to give a vendor 30 to 45
day quiet period to provide an opportunity to create a patch or work around.
If an exploit for the vulnerability appears in the wild, or a patch and
work-around is provided by the vendor or ISS X-Force, this quiet period is
disregarded and the ISS X-Force advisory is published immediately.
 
In the case of this advisory, ISS X-Force provided an Apache patch and did
not see a need for a long quiet period.
 
2)      The original ISS X-Force Apache Patch did work properly against the
specific vulnerability described by X-Force, despite claims that it did not.
The Apache and CERT advisories on their websites have been corrected to
reflect this.
3)      ISS was not aware of other researchers discovering this
vulnerability nor aware of it in the wild at the time of the release of the
advisory.
4)      Following along with Presidential Decision Directive-63, ISS had
cooperated and coordinated with National Infrastructure Protection Center
(NIPC) on this advisory.  We will continue to work with NIPC on upcoming
advisories.
5)      The Gobbles' exploit has confirmed our decision to release as soon
as possible based on our assumption that others were likely to discover the
same vulnerability in the wild.
6)      We do not view this as a race to beat other researchers to releasing
an advisory, but a race to protect our customers in a timely manner. 
 
Due to the general nature of open-source and its openness, the virtual
organizations behind the projects do not have an ability to enforce strict
confidentiality.  By notifying the open source project, its nature is that
the information is quickly spread in the wild disregarding any type of quiet
period.  ISS X-Force minimizes the quiet period and delay of protecting
customers by providing a security patch.
 
ISS has made these decisions based on our mission to provide the best
security to our customers and being a trusted security advisor. 
 

Sincerely,
Christoper W. Klaus

***********************************************************************
Christopher W. Klaus
Founder and CTO
Internet Security Systems (ISS)
6303 Barfield Road
Atlanta, GA 30328
Phone: 404-236-4051 Fax: 404-236-2637
web http://www.iss.net
NASDAQ: ISSX
Internet Security Systems ~ The Power To Protect

Current thread:

ISS Apache Advisory Response Klaus, Chris (ISSAtlanta) (Jun 21)
- Re: ISS Apache Advisory Response Kee Hinckley (Jun 21)
- Re: ISS Apache Advisory Response Thomas Reinke (Jun 21)
- Re: ISS Apache Advisory Response Kevin Spett (Jun 21)
  - Re: ISS Apache Advisory Response Kevin Spett (Jun 22)
- Re: ISS Apache Advisory Response Mike Eldridge (Jun 21)
- Re: ISS Apache Advisory Response Security Admin (Jun 24)
- <Possible follow-ups>
- Re: ISS Apache Advisory Response dminor (Jun 22)