A leading security warning body will next week take the controversial step of alerting the world to security vulnerabilities in products whether or not vendors have corrected the problems.
All vulnerabilities reported to Cert will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors.
However, Cert has left itself the option of departing from this strict timescale if it becomes aware of an active exploitation of a problem, or in case of especially serious threats, in which case alternative publication schedules will be negotiated.
Deri Jones, of security testers NTA Monitor, welcomed the policy change which he said had been made against the backdrop of a growing debate within the security community about full disclosure of security problems.
Cert has previously argued that it is wrong to tell people there is a vulnerability without informing them of a fix by vendors. However, this policy ignored the proliferation of sites, such as Bugtraq, which provide information on security problems and possible workarounds often long before vendor sanctioned fixes are available.
Jones said if users read Cert alone, it might give them a "false sense of security". He added that if people are told of problems, at least they can make informed choices about the practicality of workarounds - which could involve suspending certain services.
"We tend to lean towards full disclosure," said Jones. "For one thing it means if vendors don't fix problems, it means they get their noses rubbed in it. It'll add an extra bit of pressure on them, but whether it will result in them putting extra effort into fixing problems, remains to be seen."
Cert said the goal of the policy was to balance the need of the public to be informed of security vulnerabilities with the vendors' need for time to respond effectively. It is changing its policy because it recognises people who discover vulnerabilities are increasingly tempted to make them public in an attempt to force vendors into action. However, Cert backed away from endorsing the immediate and full disclosure of problems some advocate.
In a notice on its website, Cert said: "We will not distribute exploits, if that's what 'full disclosure' means. In our experience, the number of people who can benefit from the availability of exploits is small compared to the number of people who get harmed by people who use exploits maliciously. We will, however, disclose information about vulnerabilities that we might not have previously disclosed, and publish information about as many vulnerabilities as we can."
Do you agree?
Have your say on this article