[Cross-posted to the very relevant vuln-dev list for a reason...] Two questions come to mind: 1 - first, if not CERT, then what pool do you draw from to form this new "coordination" team? 2 - Have you considered going so far as to revise/rewrite rfp's disclosure methodology? The problem with such a plan is the lack of a central body with time and effort to develop this team. If you have that time, then LOUD announcements would need to be made upon completion, and reason/logic presented clearly to EVERYONE AROUND THE GLOBE who works in security. I take it as a given that this is a privately formed body, with little or no government intervention. But to be honest, there will HAVE to be a government official present in the team for national security reasons. What then? Well then you have severe distrust as the world would know that Uncle Sam has eyes and ears on all new vulnerabilities prior to patch... thus, you come full circle as to why CERT is not used every time in this capacity today... A real Trust is VERY improbable even though the reason behind such a VCC are sound. ...in a perfect world... Following this line of thought, you have to have VCC rep's from anywhere who wants to be a part... thus giving global access to VERY sensitive and powerful information... riiiiight... somebody somewhere will abuse it, and then it's game over, back to square one where we are now, except THEN you would add this VCC to the mix of less effective reporting bodies causing more disclosure chaos... -- thoughts -- So if you DO need to centralize or standardize reporting of vulnerabilities, what is the answer? Perhaps an industry-wide RFC acceptance is required. Create a de-facto standard as you would with protocol invention or any other communications standard. (after all, we ARE discussing protocol). once in place, as with TCP, the world will migrate to this standard FOR THE MOST PART, and the ones who do not will be the odd few...(token ring anyone?). I have always felt that both RFP's disclosure policy, and perhaps even ideahamster's OSSTMM, should be taken to the next level of standardization.. and the only parallels I can see are RFC or ICANN acceptance... Oliver Petruzel Sr. Network Security Engineer, SEG Corbett Technologies http://www.corbett-tech.com work: 703-519-8639 x280 cell: 703-608-8250 -----Original Message----- From: David Litchfield [mailto:davidat_private] Sent: Monday, June 17, 2002 9:23 PM To: bugtraqat_private Subject: Vulnerability Coordination never know something useful might come out of all of this ;-) Longer term, what I'd like to see is organizations like CERT and CVE publishing a seperate e-mail address to be used for such things - of course that's their call though. Cheers, David Litchfield Next Generation Security Software Ltd http://www.ngssoftware.com/ +44(0)208 401 0070
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 10:22:44 PDT