CERT's full-disclosure policy is responsible, but mistrust remains

William Jackson

The first computer security flaws revealed under the Computer Emergency Response Team Coordination Center's new disclosure policy should start showing up very shortly.

CERT will publish vulnerability notes and, for particularly serious problems, special advisories.

The center, housed at Carnegie Mellon University's Software Engineering Institute, announced late last year it would make fuller, though not total, disclosures, of security flaws.

'All vulnerabilities reported to the CERT will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors,' it announced.

THE 45-DAY LIMIT is not hard and fast. Especially serious threats could be announced earlier, and disclosure could be delayed for threats that require changes in core systems or components.

But in general, 45 days gives vendors enough time to fix problems, while still being 'a pretty tough deadline for a large organization to meet,' CERT concluded.

The announcement stirred up quite a bit of interest in light of the simmering controversy over full disclosure.

Marcus J. Ranum, security guru and chief executive officer of Network Flight Recorder Inc. of Rockville, Md., has come out against the disclosure of full details about vulnerabilities'including software 'toolz' to exploit them'before fixes have been released.

'Distributing these toolz is not helping,' Ranum told an audience at the Black Hat Briefings in Las Vegas in July. 'Free speech in computer security has created an enormous gray area where people are comfortable doing irresponsible things.'

BUT MANY GRAY-HAT hackers say the threat of exposure is the only way to ensure fixes from vendors of buggy software.

And many systems administrators say the more they know about the nature of the threats they face, the better they are able to protect themselves.

The new CERT policy is a well-crafted effort to walk a fine line between the two camps and forestall the release of software intended to exploit security holes.

'We will not distribute exploits,' CERT said. 'We will, however, disclose information about vulnerabilities that we might not have previously disclosed.'

The goal is to put the sensitive information into the hands of those who need it in the hope that it will stop there.

'In our experience, if there is not responsible, qualified disclosure of vulnerability information, then researchers, programmers, system administrators and other information technology professionals who discover vulnerabilities often feel they have no choice but to make the information public in an attempt to coerce the vendors into addressing the problem,' CERT said.

THE CERT POLICY, responsible as it may be, does not resolve the underlying issue of full disclosure.

Many IT professionals are wary about the quality of software being released and seldom trust the vendors to voluntarily fix holes in their products.

It will be hard to put an end to buggy software because all software starts out imperfect, and anyone willing to work long enough can usually poke a few holes in a program. But the lack of trust from customers is an embarrassment to the software industry that it should be moving faster to correct.

inside gcn

  • Google Map of free sandbags in Los Angeles

    When simple is best: Google Maps for disaster prep

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group