Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Vulnerability Coordination

From: "Oliver Petruzel" <oliver.petruzel () corbett-tech com>
Date: Tue, 18 Jun 2002 13:59:39 -0400
[Cross-posted to the very relevant vuln-dev list for a reason...]

Two questions come to mind:

1 - first, if not CERT, then what pool do you draw from to form this new "coordination" team?
2 - Have you considered going so far as to revise/rewrite rfp's disclosure methodology?  The problem with such a plan 
is the lack of a central body with time and effort to develop this team.  If you have that time, then LOUD 
announcements would need to be made upon completion, and reason/logic presented clearly to EVERYONE AROUND THE GLOBE 
who works in security.

I take it as a given that this is a privately formed body, with little or no government intervention.  But to be 
honest, there will HAVE to be a government official present in the team for national security reasons.  What then?  
Well then you have severe distrust as the world would know that Uncle Sam has eyes and ears on all new vulnerabilities 
prior to patch... thus, you come full circle as to why CERT is not used every time in this capacity today... A real 
Trust is VERY improbable even though the reason behind such a VCC are sound.

...in a perfect world...

Following this line of thought, you have to have VCC rep's from anywhere who wants to be a part... thus giving global 
access to VERY sensitive and powerful information... riiiiight... somebody somewhere will abuse it, and then it's game 
over, back to square one where we are now, except THEN you would add this VCC to the mix of less effective reporting 
bodies causing more disclosure chaos...

-- thoughts --

So if you DO need to centralize or standardize reporting of vulnerabilities, what is the answer?  Perhaps an 
industry-wide RFC acceptance is required.  Create a de-facto standard as you would with protocol invention or any other 
communications standard. (after all, we ARE discussing protocol).  once in place, as with TCP, the world will migrate 
to this standard FOR THE MOST PART, and the ones who do not will be the odd few...(token ring anyone?).  

I have always felt that both RFP's disclosure policy, and perhaps even ideahamster's OSSTMM, should be taken to the 
next level of standardization.. and the only parallels I can see are RFC or ICANN acceptance...

Oliver Petruzel
Sr. Network Security Engineer, SEG
Corbett Technologies
http://www.corbett-tech.com
work: 703-519-8639 x280
cell: 703-608-8250



-----Original Message-----
From: David Litchfield [mailto:david () ngssoftware com]
Sent: Monday, June 17, 2002 9:23 PM
To: bugtraq () securityfocus com
Subject: Vulnerability Coordination

never know something useful might come out of all of this
;-)

Longer term, what I'd like to see is organizations like CERT and CVE
publishing a seperate e-mail address to be used for such things - of course
that's their call though.

Cheers,
David Litchfield
Next Generation Security Software Ltd
http://www.ngssoftware.com/
+44(0)208 401 0070
Previous By Date Next
Previous By Thread Next

Current thread: