Re: Status of draft-christey-wysopal-vuln-disclosure-00.txt
Florian Weimer <fw@deneb.enyo.de> Thu, 26 December 2002 23:29 UTC
Received: from ran.ietf.org (ran.ietf.org [10.27.6.60]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA17325; Thu, 26 Dec 2002 18:29:12 -0500 (EST)
Received: from majordomo by ran.ietf.org with local (Exim 4.10) id 18RhR7-0005u9-00 for ietf-list@ran.ietf.org; Thu, 26 Dec 2002 18:29:09 -0500
Received: from odin.ietf.org ([10.27.2.28] helo=ietf.org) by ran.ietf.org with esmtp (Exim 4.10) id 18RhQQ-0005tX-00 for ietf@ran.ietf.org; Thu, 26 Dec 2002 18:28:27 -0500
Received: from mail.enyo.de (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA17271 for <ietf@ietf.org>; Thu, 26 Dec 2002 18:22:55 -0500 (EST)
Received: from [212.9.189.171] (helo=deneb.enyo.de) by mail.enyo.de with esmtp (Exim 3.34 #2) id 18RhN1-0006i3-00; Fri, 27 Dec 2002 00:24:55 +0100
Received: from fw by deneb.enyo.de with local (Exim 3.34 #4) id 18RhNw-0000gZ-00; Fri, 27 Dec 2002 00:25:52 +0100
To: Chris Wysopal <cwysopal@atstake.com>
Cc: Valdis.Kletnieks@vt.edu, jasonc@science.org, coley@mitre.org, dee3@torque.pothole.com, ietf@ietf.org, kre@munnari.OZ.AU, info@knowngoods.org, Bruce Schneier <schneier@counterpane.com>, cert@cert.org, Clinton Kreitner <kreitner@home.com>, Alan Paller <AlanPaller@aol.com>, Hal Pomeranz <hal@deer-run.com>
Subject: Re: Status of draft-christey-wysopal-vuln-disclosure-00.txt
References: <ILEPILDHBOLAHHEIMALBIEDAEHAA.jasonc@science.org> <200212261833.gBQIXCb1003620@turing-police.cc.vt.edu> <87y96cd14p.fsf@deneb.enyo.de> <3E0B8713.1040906@atstake.com>
From: Florian Weimer <fw@deneb.enyo.de>
Date: Fri, 27 Dec 2002 00:25:52 +0100
In-Reply-To: <3E0B8713.1040906@atstake.com> (Chris Wysopal's message of "Thu, 26 Dec 2002 17:47:47 -0500")
Message-ID: <87of78cqgv.fsf@deneb.enyo.de>
User-Agent: Gnus/5.090008 (Oort Gnus v0.08) Emacs/21.2 (i686-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf@ietf.org
Precedence: bulk
Chris Wysopal <cwysopal@atstake.com> writes: > I was not aware of the paid prepublication access that some > coordinators provide at the time the draft was written. I don't know > if Steve knew this. This was an new concept at the time. I have heard > that CERT is willing to keep researcher submissions confidential if > requested. But this is second hand knowledge. Only one (!) FIRST member has responded to an informal request to clarify these issues and assured me that they won't share information before publication. However, they do receive about one request per month for such information (not too surprising considering their position). BTW, have a look at <http://www.itworld.com/Sec/2210/IDG01419cert/> (and look at the publication date). This press article suggests that members of the Internet Security Alliance receive plenty of information. I wonder how many researches who contact CERT/CC have this crucial background information. Unfortunately, the CERT/CC FAQ is open to interpretation -- whether sharing with ISA members is implicit or explicit, mandatory or optional. Half a year ago I was being laughed at when I remarked that a trusted coordinator with a viable business model that does not include paid early access is big problem. *sigh* > There are some organizations that prepublish minimal information > such as the software and version affected by a vulnerability and > perhaps workaround information. This is what ISS does. Their clients are granted access to the full advisory, according to their published policy. But thanks for clarifying that this is just an error in the documentation. :-) > I have heard secondhand that CERT prepublication information is much > more detailed. I could see a market for prepublication exploit code. There is already such a market. Several organizations are buying, and researches are selling. The most visible but still regularly overlooked example is iDEFENSE. (In the past, some vendors even thanked iDEFENSE for responsibly disclosing a vulnerability, even though they didn't receive a single day of advance notice!) There is even a market for post-publication exploit code: Creating IDS signatures and test cases for scanning tools is quite a bit easier if you've got working exploit code. Most of the time, you are lost if you haven't got the source code of the vulnerable software, and even if there is source code, it often contradicts what the vendors tell you, or you have to wade through thousands of lines of patches. Furthermore, considerable expertise in the protocols involved in the issue might be needed. If I were an IDS/network scanner vendor, I'd really try to play the Coordinator role for this reason. Nowadays, you won't get the exploit code from public archives most of time (although you can always ask, but with varying degree of success...).
- Status of draft-christey-wysopal-vuln-disclosure-… Florian Weimer
- Re: Status of draft-christey-wysopal-vuln-disclos… Donald Eastlake 3rd
- Re: Status of draft-christey-wysopal-vuln-disclos… Robert Elz
- Re: Status of draft-christey-wysopal-vuln-disclos… Florian Weimer
- Re: Status of draft-christey-wysopal-vuln-disclos… Jason Coombs
- RE: Re: Status of draft-christey-wysopal-vuln-dis… Jason Coombs
- Re: Status of draft-christey-wysopal-vuln-disclos… Valdis.Kletnieks
- Re: Status of draft-christey-wysopal-vuln-disclos… Florian Weimer
- Re: Status of draft-christey-wysopal-vuln-disclos… Valdis.Kletnieks
- Re: Status of draft-christey-wysopal-vuln-disclos… Florian Weimer
- Re: Status of draft-christey-wysopal-vuln-disclos… Chris Wysopal
- Re: Status of draft-christey-wysopal-vuln-disclos… Steven M. Christey
- Re: Status of draft-christey-wysopal-vuln-disclos… Bruce Schneier