Re: Pro Disclosure (was Re: UnixWare)

[paul () vix com (Paul A Vixie)]

I think this anti-CERT sentiment is misplaced.  If someone tells CERT about
a bug and CERT manages to tell the vendors about the bug, before _everybody_
knows about the bug, then it seems to me that a good service has been done.

Generally what happens is:

        a bad guy finds a hole
        lots of bad guys use the hole
        some good guy notices the hole being used, and tells CERT
        CERT tells the vendors
        some vendors get a binary patch together; others ignore it
        CERT tells the world of the existence (but not details!) of the hole,
                and gives references to the vendor's patches, and suggested
                workarounds
        the rest of the bad guys learn about and use the hole
        the good guys eventually figure out what the hole was

i, like others on this list, would like the last step shown above to come
earlier in the script than it does now.  but since there is no way to give
information to _just_the_good_guys_ or at least enough of them to matter,
i think CERT's approach approaches do-least-evil.  and they do some good.
if anyone here has a better approach in mind, let's hear it, ok?

[ the last major hole CERT reported was one of mine :-( ]