Security group issues ultimatum for bug patches

[William Knowles <wk () C4I ORG>]

http://news.cnet.com/news/0-1005-200-3146784.html?tag=st.ne.1430735..ni

By Erich Luening
Staff Writer, CNET News.com
October 9, 2000, 4:55 p.m. PT

An influential computer security group has instituted a new policy
that gives software companies just 45 days to fix security flaws
before it goes public with reported defects--a move that could lead to
greater openness in discussions about software vulnerabilities, some
security experts say.

The Computer Emergency Response Team (CERT) at Carnegie Mellon
University said it will begin to publicly disclose software
vulnerabilities after the deadline period regardless of the existence
or availability of patches or workarounds from affected companies.
Previously CERT did not disclose such vulnerabilities.

The policy, announced last week, took effect Monday.

CERT's decision to go public with unsolved security flaws could
significantly influence a longtime debate about the best way to
disclose software vulnerabilities. While some well-known bug hunters
give companies just a few hours notice before publicly disclosing an
exploit, many prefer to work quietly with software companies to fix
the problem and then announce the patch instead of just a hole.

Experts said CERT's policy shift follows a trend toward full
disclosure, although CERT couched its new stance as taking a middle
ground.

"This is a way for us to affect some change in the way vulnerabilities
are disclosed," said Cory Cohen, a CERT security team member. "We see
it as a middle-of-the-road decision. We won't disclose exploits...We
will disclose information about vulnerabilities to inform the public
and give vendors a set time frame to release a patch."

Software makers and security companies that prefer to keep the public
out of the security loop argue that openly discussing vulnerabilities
gives hackers a dangerous source of information on new exploits. Such
flaws should not be disclosed, they say, until after the software
maker has released a patch for the problem.

Others, who believe that public discussion offers the better course,
have established closely watched security forums, such as BugTraq,
where flaws and exploits are openly dissected.

Exploits are source codes that illustrate how any programmer could
take advantage of a vulnerability, something Cohen said the new policy
will not disclose.

Cohen added that the goal of the policy is to balance the need of the
public to be informed of security vulnerabilities with the companies'
need for time to respond effectively. CERT anticipates the first
information released under the new policy will be available around
Nov. 20.

Security experts said it is unclear if CERT's decision to opt for
openness is sufficient to change the way companies disclose their own
software security information.

"This is a step in the right direction," said Elias Levy, chief
technology officer for SecurityFocus.com and moderator of the BugTraq
mailing list. "But only time will tell how things will be done
industrywide. This definitely is a shift in the debate, though,
because CERT is a significant" organization in the security community.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".