CERT's full disclosure policy is responsible, but mistrust remains
The first computer security flaws revealed under the Computer Emergency Response Team Coordination Center's new disclosure policy (see story at www.gcn.com/vol1_no1/daily-updates/3091-1.html
) should start showing up this week.
CERT will publish vulnerability notes and, for particularly serious problems, special advisories. The center, housed at Carnegie Mellon University's Software Engineering Institute, announced last month it would make fuller, though not total, disclosures.
'All vulnerabilities reported to the CERT will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors,' it announced.
The 45-day limit is not hard and fast. Especially serious threats could be announced earlier, and disclosure could be delayed for threats that require changes in core systems or components. But in general, 45 days gives vendors enough time to fix problems, while still being 'a pretty tough deadline for a large organization to meet,' CERT concluded.
The announcement stirred up quite a bit of interest in light of the simmering controversy over full disclosure.
Marcus J. Ranum, security guru and chief executive officer of Network Flight Recorder Inc. of Rockville, Md., has come out against the disclosure of full details about vulnerabilities'including software toolz to exploit them'before fixes have been released [GCN
, Aug. 21, Page 53].
'Distributing these toolz is not helping,' Ranum told an audience at the Black Hat Briefings in Las Vegas in July. 'Free speech in computer security has created an enormous gray area where people are comfortable doing irresponsible things.'
But many gray-hat hackers say the threat of exposure is the only way to ensure fixes from vendors of buggy software. And many systems administrators say the more they know about the nature of the threats they face, the better they can protect themselves.
The new CERT policy is a well-crafted effort to walk a fine line between the two camps and forestall the release of software intended to exploit security holes.
'We will not distribute exploits,' CERT said. 'We will, however, disclose information about vulnerabilities that we might not have previously disclosed.'
The goal is to put the sensitive information into the hands of those who need it in the hope that it will stop there.
'In our experience, if there is not responsible, qualified disclosure of vulnerability information, then researchers, programmers, system administrators and other information technology professionals who discover vulnerabilities often feel they have no choice but to make the information public in an attempt to coerce the vendors into addressing the problem,' CERT said.
The CERT policy, responsible as it may be, does not resolve the underlying issue of full disclosure. Many IT professionals are wary about the quality of software being released and seldom trust vendors to voluntarily fix holes.
It will be hard to put an end to buggy software because all software starts out imperfect, and anyone willing to work long enough can usually poke a few holes in it. But the lack of trust from customers is an embarrassment to the software industry that it should be moving faster to correct.