Secunia Moves to Displace CERT, SecurityFocus

Danish security research firm Secunia
has launched a new mailing list to compete directly with entrenched security
advisory clearinghouses like the CERT Coordination Center and Symantec-owned
SecurityFocus.

Secunia’s move to launch its own list of vulnerability alert is in direct
retaliation for what it describes as “censorship” and the deliberate delays
of warnings while paying customers get special treatment.

It is the second time a security flaw finder has criticized the policies
of the federally funded CERT/CC to sell early access to vulnerability
warnings long before vendor fixes are made available to the general public.
In January, Next Generation Security Software (NGSS) announced it would cut off
CERT/CC from all bug warnings until the Center signed a binding
non-disclosure agreement that it would not share early access with its paid
sponsors.

The issue over how security warnings from third-party researchers are at
the center of Secunia’s plans for its own early-warning system. The new Secunia
Security Advisories List
will take warnings from all major sources,
research and rewrite them before sending them out to subscribers and there
is an explicit promise that the information will always be free.

“Last year, when SecurityFocus was acquired by Symantec
, they changed their policy quite a bit. Now, they are
deliberately delaying security information for several days to give early
warning to subscribers who pay. They have basically betrayed the security
community,” said Thomas Kristensen, CTO of Secunia.

“They are taking information from hard-working researchers and selling
early access to the same information to people who pay big money,”
Kristensen told internetnews.com, accusing the CERT/CC of doing
essentially the same thing.

He said the new list would go head-to-head with the more popular BugTraq, which is run by SecurityFocus but
would work alongside more open, free lists like VulnWatch and
Full-Disclosure.

“We have one philosophy. The information about vulnerabilities should be
released to the public at the same time it is released to our paying
customers. We’ve been doing that since we launched and we are very upset
with the way CERT and SecurityFocus deliberately delays their warnings,”
Kristensen declared.

Officials at SecurityFocus could not be reached for comment at press
time.

Ever since the launch of the list, sign-ups have been rolling in at the
rate of 100 per hour and Kristensen expects to have tens and thousands of
subscribers within a few months. “The response has been great. It’s been a
huge success.”

For free, Secunia will act as a clearinghouse for all vulnerability
alerts, regardless of their scale of importance but there’s a catch for
users who don’t want to be bombarded with e-mail alerts for every
conceivable flaw report. Secunia will sell access to a filtering software
that allows subscribers to customize the information they receive. On the
low end, Kristensen said the service will cost about $2,000 per year to
business users that might only want to receive information about mail server
or web server security flaws.

Plans are also in place to launch a weekly summary of alerts, which will
remain free. “All the information will be free, always. But we will charge
for the ability to filter and customize the alerts users want to receive,”
he said.

At the center of the complaints against CERT/CC is the Internet Security
Alliance, a group that sponsors the operations of the Center. The alliance,
a collaborative effort between Carnegie Mellon University’s Software
Engineering Institute (SEI), CERT/CC, and the Electronic Industries Alliance
(EIA), provides paid members a portal for up-to-the-minute threat
reports.

CERT/CC manager Jeff Carpenter earlier confirmed the IS Alliance
relationship, noting that it was public knowledge that the Center shares
information prior to public disclosure with trusted partners. In fact,
Carpenter told internetnews.com, the Center’s policy makes it clear
the Center would provide early warnings “to anyone who can contribute to the
solution and with whom we have a trusted relationship”. Those include
vendors, community experts, CERT/CC sponsors, members of the Internet
Security Alliance (including private sector organizations), and sites that
are part of a national critical infrastructure.

But, like the NGSS, Secunia is upset with that arrangement, which
effectively allows the CERT/CC to sell information provided by third-party
researchers, mostly in small single-office firms around the world. The IS
Alliance pays as much as $70,000 to the CERT/CC to be a sponsor and charges
$25,000 for full membership and $3,000 for associate membership.

These companies mostly share their vulnerability findings for the public
relations value it offers and then sell consulting services to enterprise
customers.

“We believe that security information should be free, so that
administrators can patch their systems and
software developers can learn from the mistakes made by others. All the
security researchers and experts who posts to Full-Disclosure, VulnWatch and
Secunia wants their research to be free and available we owe them that
much,” Kristensen declared.

News Around the Web