RealTime IT News

Secunia Moves to Displace CERT, SecurityFocus

Danish security research firm Secunia has launched a new mailing list to compete directly with entrenched security advisory clearinghouses like the CERT Coordination Center and Symantec-owned SecurityFocus.

Secunia's move to launch its own list of vulnerability alert is in direct retaliation for what it describes as "censorship" and the deliberate delays of warnings while paying customers get special treatment.

It is the second time a security flaw finder has criticized the policies of the federally funded CERT/CC to sell early access to vulnerability warnings long before vendor fixes are made available to the general public. In January, Next Generation Security Software (NGSS) announced it would cut off CERT/CC from all bug warnings until the Center signed a binding non-disclosure agreement that it would not share early access with its paid sponsors.

The issue over how security warnings from third-party researchers are at the center of Secunia's plans for its own early-warning system. The new Secunia Security Advisories List will take warnings from all major sources, research and rewrite them before sending them out to subscribers and there is an explicit promise that the information will always be free.

"Last year, when SecurityFocus was acquired by Symantec , they changed their policy quite a bit. Now, they are deliberately delaying security information for several days to give early warning to subscribers who pay. They have basically betrayed the security community," said Thomas Kristensen, CTO of Secunia.

"They are taking information from hard-working researchers and selling early access to the same information to people who pay big money," Kristensen told internetnews.com, accusing the CERT/CC of doing essentially the same thing.

He said the new list would go head-to-head with the more popular BugTraq, which is run by SecurityFocus but would work alongside more open, free lists like VulnWatch and Full-Disclosure.

"We have one philosophy. The information about vulnerabilities should be released to the public at the same time it is released to our paying customers. We've been doing that since we launched and we are very upset with the way CERT and SecurityFocus deliberately delays their warnings," Kristensen declared.

Officials at SecurityFocus could not be reached for comment at press time.

Ever since the launch of the list, sign-ups have been rolling in at the rate of 100 per hour and Kristensen expects to have tens and thousands of subscribers within a few months. "The response has been great. It's been a huge success."

For free, Secunia will act as a clearinghouse for all vulnerability alerts, regardless of their scale of importance but there's a catch for users who don't want to be bombarded with e-mail alerts for every conceivable flaw report. Secunia will sell access to a filtering software that allows subscribers to customize the information they receive. On the low end, Kristensen said the service will cost about $2,000 per year to business users that might only want to receive information about mail server or web server security flaws.

Plans are also in place to launch a weekly summary of alerts, which will remain free. "All the information will be free, always. But we will charge for the ability to filter and customize the alerts users want to receive," he said.

At the center of the complaints against CERT/CC is the Internet Security Alliance, a group that sponsors the operations of the Center. The alliance, a collaborative effort between Carnegie Mellon University's Software Engineering Institute (SEI), CERT/CC, and the Electronic Industries Alliance (EIA), provides paid members a portal for up-to-the-minute threat reports.

CERT/CC manager Jeff Carpenter earlier confirmed the IS Alliance relationship, noting that it was public knowledge that the Center shares information prior to public disclosure with trusted partners. In fact, Carpenter told internetnews.com, the Center's policy makes it clear the Center would provide early warnings "to anyone who can contribute to the solution and with whom we have a trusted relationship". Those include vendors, community experts, CERT/CC sponsors, members of the Internet Security Alliance (including private sector organizations), and sites that are part of a national critical infrastructure.

But, like the NGSS, Secunia is upset with that arrangement, which effectively allows the CERT/CC to sell information provided by third-party researchers, mostly in small single-office firms around the world. The IS Alliance pays as much as $70,000 to the CERT/CC to be a sponsor and charges $25,000 for full membership and $3,000 for associate membership.

These companies mostly share their vulnerability findings for the public relations value it offers and then sell consulting services to enterprise customers.

"We believe that security information should be free, so that administrators can patch their systems and software developers can learn from the mistakes made by others. All the security researchers and experts who posts to Full-Disclosure, VulnWatch and Secunia wants their research to be free and available we owe them that much," Kristensen declared.