CERT, Feds Consider New Reporting Process

Early release of vulnerability info highlights current problems.

Government officials and private organizations alike are reviewing their vulnerability disclosure processes after several incidents over the past 10 days exposed major shortcomings in the way new bugs are handled.

The most dramatic case for change came early last week when an anonymous member of a security mailing list posted three unpublished vulnerability advisories. None of the advisories had been released by the authors—or by a third party such as the CERT Coordination Center—who typically handle such announcements. The posts were taken from advance copies of the advisories that CERT had shared with a select group of software vendors, something that has angered CERT officials.

"We know that the text was taken directly from messages we shared with the vendor community," said Shawn Hernan, team leader for vulnerability handling at CERT, based at Carnegie Mellon University, in Pittsburgh. "Weve always believed that the vendors need advance notice. But in this case, someone with access decided to [go] public."

CERT is now considering whether changes can be made to its process for handling vulnerabilities. The federal government, meanwhile, is discussing ways to centralize vulnerability reporting.

The government is considering a plan to establish a single point of contact for vulnerability reporting; researchers would submit discoveries to the contact. The government would then work with the researcher and the affected vendors to coordinate release of the information.

The hope is to avoid leaks and to speed vendor response to security problems. However, the Information Assurance and Infrastructure Protection division of the Department of Homeland Security is still without a leader, clogging any major initiatives, insiders said.

While the Bush administration has found it difficult to fill the top information security job, sources say Bob Liscouski, director of information integrity and assurance at The Coca-Cola Co., in Atlanta, is slated to take the job of assistant undersecretary for IAIP.

Officials at DHS did not respond to requests for comment.


Timeline of events in leaked vulnerability reports:
  • March 15 OpenSSL and Kerberos advisories leaked
  • March 16 Sun XDR advisory leaked
  • March 17 Kerberos advisory and patch officially released
  • March 19 Sun XDR advisory officially released
The trouble began when a member of the Full-Disclosure mailing list posted three vulnerability reports. Only one of the problems had been disclosed previously, and patches were not yet available. All the advisories detailed the vulnerabilities and affected products.

All the vulnerability reports were serious. The first, posted March 15, warned of a cryptographic weakness in the popular Kerberos protocol. The second message discussed a timing attack on cryptographic keys. The third, posted March 16, concerned a problem in a code library contained in Unix-based software from Sun Microsystems Inc. and other vendors. The Kerberos bulletin was officially released March 17; the details of the timing attack were published on another Web site the previous Friday.

The Sun advisory was not released until late Wednesday.

CERTs Hernan estimated there are about 50 vendors that had access to all three vulnerability reports. The person who posted the advisories to the Full-Disclosure list used an anonymous, secure e-mail service, Hushmail, which makes it hard to track the individual down.

Latest Security News:

Search for more stories by Dennis Fisher.
Find white papers on security.