CERT Narrows Window for Security Holes

Computerworld - Users who support public disclosure of security vulnerabilities got an unexpected boost recently.
Carnegie Mellon University's CERT Coordination Center security advisory service last week instituted a new policy under which it plans to publicly disclose all software flaws and vulnerabilities 45 days after they're first reported to the organization.
The policy builds on Pittsburgh-based CERT's usual practice of issuing periodic security advisories to its clients. Until now, such advisories have been restricted only to vulnerabilities that the center considers particularly serious and in need of immediate attention by users. But as part of the new policy, CERT will start issuing what are expected to be far more frequent "vulnerability reports" on all security problems that are reported to the center and can be proven true, said CERT member Shawn Hernan.
The new policy is a good thing for users, said Josh Turiel, a network manager at Holyoke Mutual Insurance Co. in Salem, Mass. "I'm a big believer in full disclosure [of security problems]," Turiel said. "Forty-five days is a very reasonable time for a vendor to fix a flaw. . . . [If] it is not done by then, users should know."
Under the new policy, CERT will pass on all relevant information about a specific security problem to the vendor. But after 45 days - or earlier, if warranted - the information will be released to the public, regardless of whether or not the problem has been fixed, Hernan said.
"The policy is really an attempt to balance the needs of the vendors with those of the general public," he added.
Releasing Info Questioned
CERT's plan to start making more frequent disclosures of software vulnerabilities comes at a time when some security experts are questioning the wisdom of publicly releasing such information.
In a keynote speech at July's Black Hat Briefings security conference in Las Vegas, for example, security researcher Marcus Ranum charged that the full-disclosure approach isn't improving computer security. Instead, Ranum said, it's only encouraging more attacks by providing would-be hackers with information on how to exploit vulnerabilities to break into systems.
It's a contention that's challenged by security professionals such as Ryan Russell, an MIS manager at SecurityFocus.com, an online bulletin board and security portal in San Mateo, Calif. Last year, the SecurityFocus site posted 575 vulnerability reports.
"I'm firmly in the full-disclosure camp," Russell said. Giving users as much detailed information about vulnerabilities as quickly as possible helps companies take appropriate action to mitigate risks and protect themselves from attacks, he added.
"I would ratherrun the risk of having someone exploit a vulnerability I know about than have them exploit something I don't know about," agreed Turiel.