Security Flaw Finder Severs Ties with CERT

ToshiroOC · Jan 30, 2003, 09:50 PM

Software security consultant Next Generation Security Software (NGSS) has severed ties with the federally funded CERT Coordination Center, accusing the non-profit organization of selling early access to vulnerability warnings long before vendor fixes are made available.

NGSS co-founder Mark Litchfield told internetnews.com it was "annoying" that CERT/CC gave early warning on six vulnerabilities to its paid sponsors before vendor patches were created and made available.

"The problem became apparent when the vendor we're working with on these vulnerabilities said they were contacted by government departments. CERT notified them ahead of patches being made available. We did not know about this policy to share this information with people who pay for that privilege," Litchfield argued.

He vowed NGSS would cut off the vulnerability warning clearinghouse from all future bug warnings until CERT/CC signs a binding non-disclosure agreement that it would not share early access with its paid sponsors.

At the center of the brouhaha is the Internet Security Alliance, a group that sponsors the operations of the CERT/CC. The alliance, a collaborative effort between Carnegie Mellon University's Software Engineering Institute (SEI), CERT/CC) and the Electronic Industries Alliance (EIA), provides paid members a portal for up-to-the-minute threat reports.

CERT/CC manager Jeff Carpenter confirmed the IS Alliance relationship but contends this is nothing new, noting that it's public knowledge that the Center shares information prior to public disclosure with trusted partners.

In fact, CERT/CC's disclosure policy, available on its Web site, makes it clear the Center would provide early warnings "to anyone who can contribute to the solution and with whom we have a trusted relationship". Those include vendors, community experts, CERT/CC sponsors, members of the Internet Security Alliance (including private sector organizations), and sites that are part of a national critical infrastructure.

"We're surprised NGSS would have a problem now. We released that disclosure policy more than two years ago and, before we released it, we spoke to all the vendors and gave the security community an opportunity to discuss it at length," CERT/CC's Carpenter said in an interview with internetnews.com.

Litchfield said NGSS did not know the IS Alliance pays as much as $70,000 to the CERT/CC to be a sponsor and charges $25,000 for full membership and $3,000 for associate membership. "This amounts to them profiting from our hard work. The fact that they're selling pre-disclosed vulnerability information to third parties is annoying. We don't profit from our own vulnerability discoveries. We're a small firm and we don't make money from it so why should they?"

--By Ryan Naraine, source: Internet News.com

Article can be read here.

Jan 30, 2003, 09:50 PM	#1
ToshiroOC Unbiased. Join Date: Jun 2002 Posts: 4,812 Rep Power: 0	Security Flaw Finder Severs Ties with CERT Software security consultant Next Generation Security Software (NGSS) has severed ties with the federally funded CERT Coordination Center, accusing the non-profit organization of selling early access to vulnerability warnings long before vendor fixes are made available. NGSS co-founder Mark Litchfield told internetnews.com it was "annoying" that CERT/CC gave early warning on six vulnerabilities to its paid sponsors before vendor patches were created and made available. "The problem became apparent when the vendor we're working with on these vulnerabilities said they were contacted by government departments. CERT notified them ahead of patches being made available. We did not know about this policy to share this information with people who pay for that privilege," Litchfield argued. He vowed NGSS would cut off the vulnerability warning clearinghouse from all future bug warnings until CERT/CC signs a binding non-disclosure agreement that it would not share early access with its paid sponsors. At the center of the brouhaha is the Internet Security Alliance, a group that sponsors the operations of the CERT/CC. The alliance, a collaborative effort between Carnegie Mellon University's Software Engineering Institute (SEI), CERT/CC) and the Electronic Industries Alliance (EIA), provides paid members a portal for up-to-the-minute threat reports. CERT/CC manager Jeff Carpenter confirmed the IS Alliance relationship but contends this is nothing new, noting that it's public knowledge that the Center shares information prior to public disclosure with trusted partners. In fact, CERT/CC's disclosure policy, available on its Web site, makes it clear the Center would provide early warnings "to anyone who can contribute to the solution and with whom we have a trusted relationship". Those include vendors, community experts, CERT/CC sponsors, members of the Internet Security Alliance (including private sector organizations), and sites that are part of a national critical infrastructure. "We're surprised NGSS would have a problem now. We released that disclosure policy more than two years ago and, before we released it, we spoke to all the vendors and gave the security community an opportunity to discuss it at length," CERT/CC's Carpenter said in an interview with internetnews.com. Litchfield said NGSS did not know the IS Alliance pays as much as $70,000 to the CERT/CC to be a sponsor and charges $25,000 for full membership and $3,000 for associate membership. "This amounts to them profiting from our hard work. The fact that they're selling pre-disclosed vulnerability information to third parties is annoying. We don't profit from our own vulnerability discoveries. We're a small firm and we don't make money from it so why should they?" --By Ryan Naraine, source: Internet News.com Article can be read here.