"It is the goal of this policy to balance the need of the public to be informed of security vulnerabilities with the vendors' need for time to respond effectively," states the new policy. "The final determination of a publication schedule will be based on the best interests of the community overall."
CERT said it would continue to refrain from publishing "exploits," or examples of computer code or programs that show how a given vulnerability may be exploited, arguing that publishing such examples only gives malicious hackers the ammunition with which to attack vulnerable programs and Web sites.
"If they're saying they're not going to publish this information for 45 days because a fix hasn't yet been announced by the vendor, that just plays into the hands of the bad guys, because the bad guys don't need 45 days." -- Allan Paller, director of research, Systems Administration, Networking and Security Institute
--------------------------------------------------------------------------------
"In our experience, the number of people who can benefit from the availability of exploits is small compared to the number of people who get harmed by people who use exploits maliciously," said CERT in its advisory.
The announcement goes to the heart of the debate in Web security circles: Namely, whether "full disclosure" -- notices that include detailed exploits -- does more harm than good.
Russ Cooper, the "surgeon general" for the Internet Computer Security Association, said the new policy was an attempt to dispel the commonly held belief that CERT withholds a great deal of the security alerts it gathers until a patch can be obtained by the vendor.
"There's been a constant belief that CERT knew of things but never told anyone other than the vendor," said Cooper. "This is an attempt for them to stake a position in this debate."
Finding the Middle Road
Cooper said the CERT standard was more in line with his "middle of the road" policy of waiting for the vendor's response before moving to the next step. Often times, he said, the purported new discovery is a vulnerability that has been detailed in a previous release. Other times, he said, those reporting the security problem may have simply misinterpreted the results of the tests they ran.
Cooper's policy, posted on www.ntbugtraq.com, contrasts sharply with that of organizations like SecurityFocus, whose full and immediate disclosure policy often means posting exploits in vulnerability alerts even as attempts are made to contact the vendor.
SecurityFocus chief technology officer Elias Levy called CERT's announcement a step in the right direction. Levy defended his company's policy, noting that most software vendors simply won't fix a bug or security hole in their products unless they can clearly see that the tool to take advantage of the exploit already has been created.
"A lot of vendors will say, 'This is merely a theoretical problem' until somebody writes an exploit," said Levy. "Only then does it become more than just a theoretical problem for them."
Levy said most of the exploit information on his site is available through underground hacker networks and through popular Usenet newsgroups, and that SecurityFocus is simply a central place where system administrators can go for authoritative information. He notes that while CERT is reluctant to release exploit information itself, three of the past four CERT advisories linked to SecurityFocus for more information.
Difficult Decisions
In its new policy, CERT also said it would publish the name and contact information of the person who reported the vulnerability. That provision was included to both mollify those in the security community who crave recognition for their hard work, and to convince them to give the vendor a chance to fix the problem before going public with the findings.
At the radical end of the spectrum are folks like Georgi Guninski, a Bulgarian computer expert that makes a living out of finding vulnerabilities in Microsoft's programs -- particularly Internet Explorer -- and posting them on the Internet for any and all to see.
Companies such as Microsoft have established policies that encourage hackers to report vulnerabilities to the source before going public.
"Their policy says that if you tell us first, we'll put your name on the published advisory," said Cooper. "If you go somewhere else first, they won't."
That policy, however, is unlikely to deter many in the hacker community, said Levy.
Allan Paller, director of research for the Systems Administration, Networking and Security Institute, said CERT's new 45-day waiting period is not going to change much.
"If they're saying they're not going to publish this information for 45 days because a fix hasn't yet been announced by the vendor, that just plays into the hands of the bad guys, because the bad guys don't need 45 days," said Paller.
Still, said Paller, CERT can hardly satisfy both camps with its new policy.
"They're in a very hard position, where they're sort of damned if they do, and damned if they don't say anything about" a given security problem on a timely basis, said Paller.
Levy attributed the new policy to a "changing of the guard" at CERT, noting that the organization is increasingly staffed by a generation of fairly young programmers who have grown up in an era of "full disclosure."
Corey Cohen, a member of the CERT technical staff, said the new policy was more about the need to publish a wider range of vulnerability information. CERT has gained a reputation, he said, for being fairly good at issuing alerts on most of the "biggee" security problems facing vast amounts of software users.
Cohen said that, because of staffing and funding restrictions, CERT has been less likely to list software products that are not widely used or that require a large number of preconditions to be present in order for the security problem to be exploited.
"We need to give a wider range of information out there, because there are a number of vulnerabilities that we haven't traditionally made announcements about," said Cohen. "So part of what we're saying is we'll talk about vulnerabilities and provide more information about what we do have even if it's not a terribly severe problem. -- Newsbytes
