Re: Status of draft-christey-wysopal-vuln-disclosure-00.txt

[Florian Weimer <fw@deneb.enyo.de>]

Chris Wysopal <cwysopal@atstake.com> writes:

> I was not aware of the paid prepublication access that some
> coordinators provide at the time the draft was written.  I don't know
> if Steve knew this.  This was an new concept at the time. I have heard
> that CERT is willing to keep researcher submissions confidential if
> requested. But this is second hand knowledge.

Only one (!) FIRST member has responded to an informal request to
clarify these issues and assured me that they won't share information
before publication.  However, they do receive about one request per
month for such information (not too surprising considering their
position).

BTW, have a look at <http://www.itworld.com/Sec/2210/IDG01419cert/>
(and look at the publication date).  This press article suggests that
members of the Internet Security Alliance receive plenty of
information.  I wonder how many researches who contact CERT/CC have
this crucial background information.  Unfortunately, the CERT/CC FAQ
is open to interpretation -- whether sharing with ISA members is
implicit or explicit, mandatory or optional.

Half a year ago I was being laughed at when I remarked that a trusted
coordinator with a viable business model that does not include paid
early access is big problem. *sigh*

> There are some organizations that prepublish minimal information
> such as the software and version affected by a vulnerability and
> perhaps workaround information.  This is what ISS does.

Their clients are granted access to the full advisory, according to
their published policy.  But thanks for clarifying that this is just
an error in the documentation. :-)

> I have heard secondhand that CERT prepublication information is much
> more detailed. I could see a market for prepublication exploit code.

There is already such a market.  Several organizations are buying, and
researches are selling.  The most visible but still regularly
overlooked example is iDEFENSE.  (In the past, some vendors even
thanked iDEFENSE for responsibly disclosing a vulnerability, even
though they didn't receive a single day of advance notice!)

There is even a market for post-publication exploit code: Creating IDS
signatures and test cases for scanning tools is quite a bit easier if
you've got working exploit code.  Most of the time, you are lost if
you haven't got the source code of the vulnerable software, and even
if there is source code, it often contradicts what the vendors tell
you, or you have to wade through thousands of lines of patches.
Furthermore, considerable expertise in the protocols involved in the
issue might be needed.

If I were an IDS/network scanner vendor, I'd really try to play the
Coordinator role for this reason.  Nowadays, you won't get the exploit
code from public archives most of time (although you can always ask,
but with varying degree of success...).