Wow. What an interesting set of colourful responses I got after suggesting the creation of a vulnerability coordination centre. This is obviously something that people feel very strongly about and the general perception I get is that such a group would be something to fear like Big Brother. What is being suggested is the creation of, not some Orwellian entity designed to control release of security information, but a body of trust, based upon cooperation, to work towards the timely and safe announcement of new vulnerabilities. For example, I have a good relationship with a number of security researchers to the extent where we can quite happily exchange new vulnerability information between ourselves because there is a bond of trust. I know they will not abuse the information I have given them and, likewise, they know I will not abuse the information they have given me. What we have here is a working model of such a platform. When I alert a vendor to a bug, I can ask these guys if they've done any similar work. Fine on a small scale but in the larger more 'real' world? Here's how I would see a typical scenario for a VCC. Security Researcher Harry finds a vulnerability in vendor X's software so he alerts X and VCC. Security Researcher Ron also discovers a vulnerability in the same product and tells X and VCC. Neville, who is a volunteer at VCC, looks at both vulnerability reports and ascertains that Harry and Ron have found two seperate vulnerabilities and performs no action. But later on in the month, Hermione, who has also been looking been looking at the product from X also notes a vulnerability. On alerting X and VCC, Neville and the security contact at X can both tell Hermione that she has discovered what Harry has already discovered. Neville can also let Hermione know what the current plan for releasing an advisory is. This way both Hermione and Harry can get the credit for the discovery and the general public are alerted when a patch has been made available and so everyone wins. Where the strength of the VCC comes in to play is where the vendor neglects to tell the later researcher that the problem has been discovered before. What's also important to not is that just because VCC has been given this information doesn't mean they go giving it to anyone that asks - hence the NOP with Harry and Ron. You only get this kind of situation when trust has been built up, though. Assume such an organization did exist. No one would be forced to join the group, no one would be forced to adhere to any guidelines - it's not about control but about collective cooperation. CERT is the perfect organization for this kind of thing. Some have asked though, "Why should I trust CERT" and the answer is, of course, "You don't have to." For those that do trust CERT, however and want to get involved then go ahead. (I know it sort of seems like I'm volunteering CERT to do the job, here, on their behalf but I'm only using them as an example organization that would suit such a role.) The bottom line is those that thinks it's a good idea - get behind it. Those that think it sucks - well - just keep on doing what you're doing already. Here's what I'mm going to do in the interim. Every time I alert a vendor to a vulnerability I'll send a note to CERT and CVE at the same time. I, personally, trust them and until they do something to the contrary they will keep my trust. I'd suggest to others that may think this is a good idea to do likewise. You never know something useful might come out of all of this ;-) Longer term, what I'd like to see is organizations like CERT and CVE publishing a seperate e-mail address to be used for such things - of course that's their call though. Cheers, David Litchfield Next Generation Security Software Ltd http://www.ngssoftware.com/ +44(0)208 401 0070
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 11:39:21 PDT