Feds Want Central Contact for Vulnerability Reporting

Will give researchers credit, help to ensure vendor action is taken.

As part of a continuing effort to find a way to handle sensitive security vulnerabilities, government security officials have been discussing the possibility of creating a central point of contact within the government for reporting such information.

Under a scenario the officials have discussed, researchers who find a new vulnerability would be encouraged to send their findings to the government contact at the same time they notify the affected vendor, according to sources familiar with the discussions.

The benefits of such a system are twofold, experts say. Not only would it ensure that the researcher is given proper credit for his or her findings, but it would also serve as a fallback position should the vendors affected by the vulnerability fail to acknowledge the report or take action to fix it.

Many security research- ers have been critical of large software vendors such as Microsoft Corp. for what the researchers perceive as unreasonably slow reaction times once the vendors are told of a new vulnerability. This, in part, has led some researchers to begin posting their findings on public mailing lists or Web sites in an effort to pressure the vendors into patching the vulnerabilities.

Government security officials, most notably Richard Clarke, chairman of the Presidents Critical Infrastructure Protection Board, have decried this practice as irresponsible and damaging to both users and vendors. Clarke, on several occasions, has called on researchers to notify his office if they are meeting resistance from vendors on vulnerability reports.

Some researchers said that having a single point of contact within the federal government for vulnerability reporting could help alleviate some of these problems.

"I think a program like this would help with nonresponsive vendors," said Chris Wysopal, director of research and development at @Stake Inc., a security research company and consultancy based in Cambridge, Mass.

However, Wysopal questioned how much detail researchers should give the government when submitting their notifications.

"I worry if researchers are required to give details," said Wysopal. "In the past, we have seen instances where [the National Infrastructure Protection Center at the FBI] has tried to coordinate notifying vendors, which has led to premature leaks of information."

"This happened in the case of the SNMP vulnerability [last February]. There is always the temptation to use information once you have it," Wysopal said.

Wysopal is also involved in the Organization for Internet Safety, which is developing a set of best practices for researchers and vendors to follow in vulnerability reporting and handling.

Sources familiar with the governments thinking on this issue said the proposal is still just in the discussion phase, mainly due to uncertainty surrounding passage of the bill authorizing the Department of Homeland Security.

Nearly all the governments security organizations would be consolidated under this new department if and when it is created.

"I think if it wasnt in the middle of a reorganization, it would be yes, yes, yes," said one source, who has participated in some of the discussions. "It would be a slam-dunk. It just makes too much sense not to happen."