Re: Vendor-sec hosting and future of closed lists

[Art Manion <amanion () cert org>]

On 2011-03-08 14:56, Andrea Barisani wrote:
> On Tue, Mar 08, 2011 at 10:59:57AM -0500, Josh Bressers wrote:
> > 3) Are we going to annoy other CERTs? Will they even care?
>
> I don't think this is an issue. We positively worked with other CERTs when that
> was applicable anyway.

Speaking for CERT/CC, we have no problem with oCERT or anyone else
running a private coordination list/function.  In fact, we have no
illusion of control over such activity.

I think some sort of private coordination/embargo period capability is
useful, it seems like the vendor-sec model worked reasonably well for
the constituency -- low overhead, some leaking, but on the balance
fairly effective during its lifespan.  My observation is that CERT/CC's
process is probably too much overhead for typical open source
vulnerabilities, although we'll still be involved in some cases that
cross multiple open/closed/commercial/non-commercial vendors.

CERT/CC could also possibly host a "vendor-sec replacement" mailing
list, however we'd have to consider (as already noted in this thread)
how to vet members, encryption (or not), overhead, etc.  I'd think this
capability would be better provided by oCERT or Openwall or someone
closer to the community.


 - Art