Centralized Security Reporting for Open Source - Page 2

Page 2 of 2

Joe Brockmeier, openSUSE Community Manager at Novell, said the company is interested in supporting efforts to coordinate sharing vulnerability information to expedite reaction times.

"In particular, we want to support the exchange of vulnerability information between large vendors with full security teams as well as small projects with few or no dedicated security resources," Brockmeier told InternetNews.com. "It's very important to provide a level playing field for all of the players in the open source community, and we want to be a part of that."

That's also the key aspect that interested Brockmeier's colleague Marcus Meissner, who leads the SUSE security team.

"The other security forums are for larger and more established vendors, but we want to make sure that independent researchers and open source projects have an avenue to participate in security forums as well," Meissner told InternetNews.com.

Still, oCERT's founder said that it doesn't necessarily matter whether a project or vendor is an official member or sponsor.

"Our sponsors don't get any form of 'preferential treatment' regarding their security reports or issues that might affect them, nor do sponsors have privileged access or any form of advance notification," Barisani said.

oCERT and the international CERTs are not directly related. The CERT name itself is being used by the open source effort with the express permission of the original CERT at Carnegie Mellon University.

According to oCERT team member Rob Holland, Inverse Path -- a consulting firm that employs both Holland and Barisani -- signed a license on oCERT's behalf, granting permission to use the term.

The CERT license outlines a few requirements for continued use -- one being a disclaimer on the oCERT site due to the similarity of the URLs ocert.org and cert.org, Holland said.

"Other requirements were mainly related to keeping track of the services we claim to offer, intended to stop tarnishing of the reputation of the trademark," Holland told InternetNews.com.

While oCERT does not have a direct organizational relationship with the US-CERT effort, the two organizations can share information. Barisani said oCERT would contact regional CERTs in cases in which it feels it may have useful information to share.

"It happened already once -- I contacted US-CERT about an open source vulnerability that might affect some commercial software," Barisani said. "US-CERT knows lots of commercial vendors and therefore, it felt appropriate. Other than this, there is no official interaction between us and other CERTs."

Many Open Source projects have bug tracking databases like bugzilla to track security issues. oCERT's founders said their effort isn't intended to replace those efforts or even to compete with them.

Instead, they said the expectation is that projects and security researchers who discover flaws will contact oCERT directly, to help them coordinate a controlled release of the fix.

"Our effort is not so much about existing issues known to projects, but more to new security issues which are reported to us, or found by us, and that we help escalating and coordinating proper fixes amongst all affected projects," Barisani said.