Security Flaw Finder Severs Ties with CERT
The U.K.-based security research firm accuses CERT/CC of profiting from its hard work by selling access to early warnings about software vulnerabilities.
NGSS co-founder Mark Litchfield told internetnews.com it was "annoying" that CERT/CC gave early warning on six vulnerabilities to its paid sponsors before vendor patches were created and made available.
"The problem became apparent when the vendor we're working with on these vulnerabilities said they were contacted by government departments. CERT notified them ahead of patches being made available. We did not know about this policy to share this information with people who pay for that privilege," Litchfield argued.
He vowed NGSS would cut off the vulnerability warning clearinghouse from all future bug warnings until CERT/CC signs a binding non-disclosure agreement that it would not share early access with its paid sponsors.
CERT/CC manager Jeff Carpenter confirmed the IS Alliance relationship but contends this is nothing new, noting that it's public knowledge that the Center shares information prior to public disclosure with trusted partners.
In fact, CERT/CC's disclosure policy, available on its Web site, makes it clear the Center would provide early warnings "to anyone who can contribute to the solution and with whom we have a trusted relationship". Those include vendors, community experts, CERT/CC sponsors, members of the Internet Security Alliance (including private sector organizations), and sites that are part of a national critical infrastructure.
"We're surprised NGSS would have a problem now. We released that disclosure policy more than two years ago and, before we released it, we spoke to all the vendors and gave the security community an opportunity to discuss it at length," CERT/CC's Carpenter said in an interview with internetnews.com.
Litchfield said NGSS did not know the IS Alliance pays as much as $70,000 to the CERT/CC to be a sponsor and charges $25,000 for full membership and $3,000 for associate membership. "This amounts to them profiting from our hard work. The fact that they're selling pre-disclosed vulnerability information to third parties is annoying. We don't profit from our own vulnerability discoveries. We're a small firm and we don't make money from it so why should they?"
Litchfield has been in touch with the Center in recent days to negotiate a non-disclosure agreement but he said CERT/CC was refusing to sign an NDA "because they claim their sponsors won't allow them to."
Carpenter confirmed the talks but declined to discuss specifics of his negotiations with Litchfield. However, he insists the Center isn't profiting from the IS Alliance relationship. "We feel strongly about our relationship with the Alliance. This is one of our ways to provide information on critical vulnerabilities ahead of the intruder community. We're not out to make money. We're using sponsorship funds from government and industry partners to help our mission."
"It's not wrong for system infrastructure administrators to be made aware of critical issues. They are exposed and the Internet community depends on them to maintain security. In some cases, it is correct that they get it (warnings) ahead of others," Carpenter said.
He said the purpose of keeping vulnerability information confidential was to give software vendors a chance to develop patches and give administrators a chance to defend their systems before intruder community becomes aware of it. "The alliance is one of our ways of trying to go in that direction. It's a non-profit organization with working groups doing a lot of lobbying on security-related issues," the CERT/CC manager said.
The IS Alliance's full membership includes big-name firms like Boeing
, Automatic Data Processing, Corio,
Equant and the Harris Corporation.
For NGSS, an 11-employee firm that published 49 security alerts in 2002, Litchfield maintains the information should "never be shared" ahead of a vendor fix being made available. "We don't know who is getting these early warnings and, in most cases, they get these alerts before a patch is even available. We can't be a party to that," he argued.
He said NGSS had 28 advisories on hold, six of which CERT/CC was aware of. "We're waiting for fixes to be made available and now that we've cut ties with them, it means we will release the information ourselves through the normal channels," Litchfield said.The advantages of using the CERT/CC to issue security alerts is to get a wider distribution base. CERT/CC's mailing lists and vulnerability archives are acknowledged as the most comprehensive in the industry and Litchfield says the "door remains open" for NGSS to repair the relationship.
The quarrel between NGSS and CERT/CC again brings the issue of vulnerability disclosure to the front burner. The Internet security sector is polarized on how and when security alerts should be made available and CERT/CC's Carpenter said the industry continues to struggle with finding a comprehensive policy on how disclosures should be made.
"The problem is that you can't find any policy where there is consensus agreement. That's the biggest problem for the industry and I don't know there is an answer," he said.
Even if there is a government mandate, it won't stop the issue of people disagreeing with it. I don't see a short term solution to this polarization," Carpenter said, noting that the public discussion about vulnerability disclosure is a "diversion" to the real issue of vendors creating stable, reliable software products.
"It would help if we were able to get the vendor community to build secure software to avoid vulnerabilities in the first place. We should concentrate on working with the vendors to create better software. That's where the real issue is," Carpenter said.