RealTime IT News

Will Symantec Keep SecurityFocus' Disclosure Policy?

The surprise announcement Wednesday afternoon that Cupertino, Calif.-based security firm Symantec would acquire enterprise security threat management system provider SecurityFocus has sent ripples through the security community, with a number of users questioning whether SecurityFocus' highly-popular Bugtraq mailing list will lose its editorial independence.

Others wondered whether SecurityFocus would be able to maintain its credibility under the banner of an anti-virus firm. Anti-virus software vendors have a reputation among security experts for allegedly inflating the seriousness of virus threats in order to boost sales of their products.

The Bugtraq mailing list, considered by most to be the world's most popular security community, serves as a forum for security experts to exchange up-to-the-minute information on viruses, security flaws and exploits. It maintains a controversial "full disclosure" policy, which allows users to post very detailed security vulnerability information to the list, including exploits. Firms like Microsoft have railed against the policy, saying it puts dangerous tools in the hands of malicious hackers who subscribe to the list in order to find ways to infiltrate systems.

But Elias Levy, chief technology officer of SecurityFocus and moderator of Bugtraq, has consistently argued that hiding security vulnerabilities does not make systems more secure. About a year ago, on the mailing list, Levy said that without detailed information:

"How should third-parties develop countermeasures? In essence you are arguing that only the vendor should be capable of fixing the vulnerable software.

"How should authors of vulnerability scanners and intrusion detection systems obtain information to produce new signatures? You may answer that only qualified security vendors should have access to the information. Who qualifies them? Who enforces these rules? What about non-commercial or open source tools?

"How should academics obtain information for research purposes? You may answer that only qualified security vendors should have access to the information. Who qualifies them? Who enforces these rules?

"How should users verify the vendor fix works as described? Some vendors have a history of requiring a few revisions of a patch to get it right.

"What do you do if the vendors is not cooperating, does not maintain the product any longer, or no longer exist?"

In the minds of a number of SecurityFocus users, who have been filling the Slashdot community site with commentary on the acquisition, Security Focus' editorial stance and credibility is threatened by the $75 million cash acquisition.

Both Symantec and the SecurityFocus staff, including Levy, deny that is the case.

"Symantec will continue to manage the Bugtraq mailing list and the online security community under the SecurityFocus brand," Symantec said in a statement Wednesday. "It will continue to offer a forum for objective reporting by security experts on the latest IT threats and attacks as well as how to prevent security breaches."

In a letter signed by "Elias Levy, David Ahmad, and the rest of the SecurityFocus staff," and posted to the Bugtraq list, SecurityFocus and Symantec added, "Symantec recognizes the value and uniqueness of the public services SecurityFocus provides to the community, such as the numerous mailing lists we host and the content we provide via the SecurityFocus Online Web site.

"In particular, Symantec and SecurityFocus want to ease any fears as to whether the character of this mailing list will change."

The letter continued, "We believe it is critical to maintain the integrity of the existing security community currently part of the SecurityFocus portal and Bugtraq mailing list."

The letter then went on to describe Symantec's disclosure policy, which includes a 30-day grace period after the notification of a security advisory to give users an opportunity to apply a patch. The policy does not allow for the distribution of detailed exploit code or samples of malicious code, except to "other trusted security researchers and in a secured manner."

However, the letter assured users that Bugtraq would be an exception. "We believe that in order for the SecurityFocus/Bugtraq community to be effective, it must be an independent entity. We believe that its current disclosure policy is appropriate for the venue. Symantec will continue to operate with its separate disclosure policy."

But the arguments have done little to sway some users. One user posted on Slashdot, "Symantec claims that SecurityFocus will still be "independent." It's possible, but unlikely. The true test will be how often a vulnerability shows up before Symantec releases a fix."

Another noted, "Even if Bugtraq keeps its objectivity (and what a big "if" is that!), doubt will ever remain. A critical resource for the security community has been lost, at least because of the lack of credibility in the new owners."

Meanwhile, Symantec is looking beyond Bugtraq when it comes to valuing the SecurityFocus acquisition. The company has its eyes on SecurityFocus' vulnerability database (which Symantec calls the "most complete" in the industry). It said it plans to continue to license the database to security product vendors, managed service providers and other organizations that create security products and services. It is also eyeing the DeepSight line of global threat management solutions.

The transaction is expected to close in early to mid-August 2002.