Re: ISS Apache Advisory Response

[Thomas Reinke <reinke () e-softinc com>]

"Klaus, Chris (ISSAtlanta)" wrote:
> There has been a lot of misinformation spread about our ISS Apache Advisory
> and wanted to clean up any confusion and misunderstanding.
>
> 1)      Our policy for publishing advisories is to give a vendor 30 to 45
> day quiet period to provide an opportunity to create a patch or work around.
> If an exploit for the vulnerability appears in the wild, or a patch and
> work-around is provided by the vendor or ISS X-Force, this quiet period is
> disregarded and the ISS X-Force advisory is published immediately.
>
> In the case of this advisory, ISS X-Force provided an Apache patch and did
> not see a need for a long quiet period.

Perhaps I miss something here.  Did you provide a patch for the
RedHat RPM distribution?  The Windows 32 binary distribution?  The
XYZ distro?  It is a somewhat myopic view to claim that the
availability of a software patch automatically means everyone has 
the means to apply it.  On the one hand, you honor a vendor quiet 
period. On the other hand, you disregard the purpose of the quiet 
period: to allow the vendor an opportunity to create a solution 
CONSUMABLE BY THE END-USERS.

> Due to the general nature of open-source and its openness, the virtual
> organizations behind the projects do not have an ability to enforce strict
> confidentiality.  By notifying the open source project, its nature is that
> the information is quickly spread in the wild disregarding any type of quiet
> period.  ISS X-Force minimizes the quiet period and delay of protecting
> customers by providing a security patch.

You honestly believe that, say,
10 individuals or so within an open source organization have any
more or less ability to prevent information dissemination than
providing information to a proprietary product vendor? And why
is that? Do you know what the vendors' security issue handling 
procedures are?  Open sources'? The fact is, no-one has the ability 
to encorce strict confidentiality.  Tomorrow, if a Unnamed Vendor
employee is fired for leaking sensitive information, will you
then release an early advisory against the Unnamed Vendor's product
because they have shown to have information leakage? Using "this is 
open source" to support early release is bogus. 

There certainly may have been some misinformation going about.
But if you honestly believe the community using Apache would be
served effectively by your patch, then you have a very poor
understanding of product usage, IMHO.

> ISS has made these decisions based on our mission to provide the best
> security to our customers and being a trusted security advisor.

Regrettably, that's not the impression that was left.

Thomas Reinke

> Sincerely,
> Christoper W. Klaus
>
> ***********************************************************************
> Christopher W. Klaus
> Founder and CTO
> Internet Security Systems (ISS)
> 6303 Barfield Road
> Atlanta, GA 30328
> Phone: 404-236-4051 Fax: 404-236-2637
> web http://www.iss.net
> NASDAQ: ISSX
> Internet Security Systems ~ The Power To Protect

-- 
------------------------------------------------------------
E-Soft Inc.                         http://www.e-softinc.com
Publishers of SecuritySpace     http://www.securityspace.com
Tel: 1-905-331-2260                      Fax: 1-905-331-2504   
Tollfree in North America: 1-800-799-4831