Security company breaks with CERT over disclosure

A long-simmering dispute between the CERT Coordination Center and vulnerability research companies flared into public view Jan. 27, when Next Generation Security Software Ltd. (NGS) announced that it's severing its relationship with CERT, saying that the government-sponsored Internet security reporting center had passed vulnerability information to third parties.

The dispute between NGS and CERT arose over a batch of six software vulnerabilities that NGS shared with CERT at the same time it disclosed them to the affected software vendor, according to Mark Litchfield, co-founder of Sutton, England-based NGS.

Before a patch was issued or the public notified about the vulnerability, the affected software vendor was approached by two government agencies concerning the undisclosed vulnerability. Those agencies said CERT had informed them about the flaw, according to Litchfield.

CERT's vulnerability disclosure policy, which is posted on its Web site, clearly states that the organization distributes vulnerability information prior to public disclosure. Recipients of that information include CERT sponsors, software vendors not affected by the vulnerability, members of the Internet Security Alliance and owners of critical infrastructure, according to the CERT Web site.

Litchfield acknowledged that he wasn't fully aware of the disclosure policy and hadn't carefully read the information posted on the CERT Web site. "Not everyone reads every word on a Web site," he said.

Still, the CERT policy -- especially the disclosure of information to members of the Internet Security Alliance (ISAlliance), a public/private trade group -- rubbed Litchfield the wrong way.

"I saw it as a betrayal in trust. My expectation was that we'd let CERT know about it so that they'd do their own internal research on the issue, do further checks, then write their own advisory and publish it," Litchfield said.

An effort to have CERT sign a nondisclosure agreement with NGS in exchange for continued vulnerability reports was rebuffed, he said.

"As a policy, we've decided that it's not in the public interest to hide vulnerability information from people who need that to defend critical infrastructure," said Jeffrey Carpenter, manager of the CERT Coordination Center at the Software Engineering Institute at Carnegie Mellon University in Pittsburgh.

Although companies such as NGS profit from the vulnerabilities they discover, CERT has a greater mission to serve the Internet community by passing along vulnerability information to affected companies, Carpenter said.

But by sharing information with the dues-paying members of the ISAlliance, CERT is going beyond its duty to notify affected organizations, Litchfield said. Instead, CERT is essentially selling an early look at vulnerability information to third parties, some of which are potential NGS competitors, he said.

CERT denied any conflict of interests between its role as an independent reporting organization and its practice of disclosing vulnerability information to ISAlliance members and the U.S. government.

Many ISAlliance members are owners of critical infrastructure, including financial institutions, telecommunications companies and software vendors, Carpenter said.

In addition, a strict security screening process and nondisclosure policy prevents ISAlliance members from circulating the vulnerability information they receive from CERT outside of their organizations, said Larry Clinton, deputy executive director and operations officer of the ISAlliance.

In theory, that should keep information confidentially disclosed to CERT from being spread by other companies. Most security companies aren't taking any chances, however.

"When the ISAlliance was formed, a big part of the value of that was its relationship with CERT and that if you joined, you got detailed vulnerability information," said Chris Wysopal, director of research and development at At Stake Inc. in Cambridge, Mass. "From that point on, most of the people I talk to, other security researchers at other companies, decided not to give any information to CERT unless they needed help [disseminating it]."

NGS's announcement regarding CERT, while more public, isn't an uncommon position in the security community, he said. "What we have done, because we are a small company with limited resources, is to contact CERT only with widespread issues."

Litchfield said NGS hasn't decided whether it will use CERT to disseminate information about widespread vulnerabilities.

The rift between the security researchers and CERT could threaten to make the reporting organization irrelevant, Wysopal said. Compared with the period before the announcement of the ISAlliance relationship, recent CERT alerts are more often based on information publicly available elsewhere than on information disclosed exclusively to CERT, Wysopal said.

NGS researchers found a number of high-profile software vulnerabilities in recent years, including the Microsoft SQL Server vulnerability exploited by the Slammer worm last weekend. NGS shared a number of those vulnerabilities with CERT at the same time they were disclosed to the affected software vendor.

CERT had little comment on the NGS decision to stop reporting vulnerabilities. "That's their decision to make," Carpenter said.

CERT, which receives funding from the U.S. Department of Defense, has been under pressure from the federal government in recent years to increase its interactions with the private sector and to get help funding its operation. That led CERT to partner with the Electronic Industries Alliance, a federation of trade associations, and form the ISAlliance.

At the same time, the organization has had to keep up with an ever-growing number of software vulnerabilities and high-profile attacks. CERT recorded just over 9,800 incidents in 1999, a number that rose to more than 82,000 in 2002.

Litchfield gave CERT credit for the work that it has done publicizing vulnerability information, especially in cases where a vulnerability affects a wide array of products. However, security researchers need to be better informed about how vulnerability information will be handled by CERT, he said.

"My basic concern was to make sure other independent researchers be aware that this is CERT's policy, because we weren't aware. If someone had made us aware, we would have stopped informing CERT ages ago," Litchfield said.


Copyright © 2003 IDG Communications, Inc.

Shop Tech Products at Amazon