Clock ticking to fix security holes

A leading security warning body will next week take the controversial step of alerting the world to security vulnerabilities in products whether or not vendors have corrected the problems.

John Leyden

A leading security warning body will next week take the controversial step of alerting the world to security vulnerabilities in products whether or not vendors have corrected the problems.

All vulnerabilities reported to Cert will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors.

Advertisement

However, Cert has left itself the option of departing from this strict timescale if it becomes aware of an active exploitation of a problem, or in case of especially serious threats, in which case alternative publication schedules will be negotiated.

Deri Jones, of security testers NTA Monitor, welcomed the policy change which he said had been made against the backdrop of a growing debate within the security community about full disclosure of security problems.

Cert has previously argued that it is wrong to tell people there is a vulnerability without informing them of a fix by vendors. However, this policy ignored the proliferation of sites, such as Bugtraq, which provide information on security problems and possible workarounds often long before vendor sanctioned fixes are available.

Jones said if users read Cert alone, it might give them a "false sense of security". He added that if people are told of problems, at least they can make informed choices about the practicality of workarounds - which could involve suspending certain services.

"We tend to lean towards full disclosure," said Jones. "For one thing it means if vendors don't fix problems, it means they get their noses rubbed in it. It'll add an extra bit of pressure on them, but whether it will result in them putting extra effort into fixing problems, remains to be seen."

Cert said the goal of the policy was to balance the need of the public to be informed of security vulnerabilities with the vendors' need for time to respond effectively. It is changing its policy because it recognises people who discover vulnerabilities are increasingly tempted to make them public in an attempt to force vendors into action. However, Cert backed away from endorsing the immediate and full disclosure of problems some advocate.

In a notice on its website, Cert said: "We will not distribute exploits, if that's what 'full disclosure' means. In our experience, the number of people who can benefit from the availability of exploits is small compared to the number of people who get harmed by people who use exploits maliciously. We will, however, disclose information about vulnerabilities that we might not have previously disclosed, and publish information about as many vulnerabilities as we can."

  • Have your say
  • Send to a friend
  • Print
  • Digg
  • Reddit
  • Share

Tags:

Do you agree?

Further reading

Microsoft worms its way off bug list

Microsoft has told Security Focus, the US security company that manages the Bugtraq moderated security email list, that it can no longer publish the software giant's security alerts.

Security software sales soar

Fuelled by the rising need to secure ebusiness systems, the worldwide security software market will grow by 22 per cent a year, according to a survey published this week.

Antivirus companies boycott industry group

Two major antivirus companies are refusing to join an industry group established to speed up the system of identifying and preventing the spread of new viruses.

Security: how safe is your data?

While security has always been an issue, the ability of organisations and individuals to keep their confidential data safe not only from prying eyes but also from attack is becoming an ever greater concern. The problem is becoming particularly marked as the world becomes more networked and companies conduct increasing amounts of business over the internet. Here we look at a range of issues that are starting to affect every one of us.

Related whitepapers

Related jobs

Most watched

HTC Hero

Hands on with the HTC Hero

V3.co.uk gets a walk through of the Hero, which includes HTC's new Sense overlay for Android

Xperia X1

Video Review: Sony Ericsson Xperia X1

First Looks Editor Ian Williams gets hands on with the Sony Ericsson Xperia X1

IT white papers

Search white papers

Top categories

Poll

Poll: Summer smartphones

Poll: Summer smartphones

Which smartphone will you be taking to the beach this summer?

View poll results

Advertisement

Advertisement

Newsletter signup

Sign up for our range of FREE newsletters:

Existing User

Newsletter user login:

Enter email address to edit your newsletter preferences

Job of the week

Search thousands of IT jobs :

Search thousands of IT jobs:

Advanced search

Hiring now on ComputingCareers:

Related IT jobs

Search thousands of IT jobs :

Search thousands of IT jobs:

Advanced search

Spotlight

HTC Hero

Hands on with the HTC Hero

V3.co.uk gets a walk through of the Hero, which includes...

NetGear ReadyNAS NVX

Review: NetGear ReadyNAS NVX

NetGear's four-bay compact network-attached storage gets a serious speed boost

AMD

AMD adds to six-core Opteron line up

New HE processors promise even lower power consumption

Adobe Systems

Adobe launches ColdFusion 9 and ColdFusion Builder

Firm promises enhanced developer productivity

Primary Navigation