Software security consultant Next
Generation Security Software (NGSS) has severed ties with the federally
funded CERT Coordination Center, accusing the non-profit organization of
selling early access to vulnerability warnings long before vendor fixes are
made available.
NGSS co-founder Mark Litchfield told internetnews.com it was
“annoying” that CERT/CC gave early warning on six vulnerabilities to its
paid sponsors before vendor patches were created and made available.
“The problem became apparent when the vendor we’re working with on these
vulnerabilities said they were contacted by government departments. CERT
notified them ahead of patches being made available. We did not know about
this policy to share this information with people who pay for that
privilege,” Litchfield argued.
He vowed NGSS would cut off the vulnerability warning clearinghouse from
all future bug warnings until CERT/CC signs a binding non-disclosure
agreement that it would not share early access with its paid sponsors.
At the center of the brouhaha is the Internet Security Alliance,
a group that sponsors the operations of the CERT/CC. The alliance, a
collaborative effort between Carnegie Mellon University’s Software
Engineering Institute (SEI), CERT/CC) and the Electronic Industries Alliance
(EIA), provides paid members a portal for up-to-the-minute threat
reports.
CERT/CC manager Jeff Carpenter confirmed the IS Alliance relationship but
contends this is nothing new, noting that it’s public knowledge that the
Center shares information prior to public disclosure with trusted
partners.
In fact, CERT/CC’s disclosure policy, available on its Web
site, makes it clear the Center would provide early warnings “to anyone
who can contribute to the solution and with whom we have a trusted
relationship”. Those include vendors, community experts, CERT/CC sponsors,
members of the Internet Security Alliance (including private sector
organizations), and sites that are part of a national critical
infrastructure.
“We’re surprised NGSS would have a problem now. We released that
disclosure policy more than two years ago and, before we released it, we
spoke to all the vendors and gave the security community an opportunity to
discuss it at length,” CERT/CC’s Carpenter said in an interview with
internetnews.com.
Litchfield said NGSS did not know the IS Alliance pays as much as $70,000
to the CERT/CC to be a sponsor and charges $25,000 for full membership and
$3,000 for associate membership. “This amounts to them profiting from our
hard work. The fact that they’re selling pre-disclosed vulnerability
information to third parties is annoying. We don’t profit from our own
vulnerability discoveries. We’re a small firm and we don’t make money from
it so why should they?”
Litchfield has been in touch with the Center in recent days to negotiate
a non-disclosure agreement but he said CERT/CC was refusing to sign an NDA
“because they claim their sponsors won’t allow them to.”
Carpenter confirmed the talks but declined to discuss specifics of his
negotiations with Litchfield. However, he insists the Center isn’t profiting
from the IS Alliance relationship. “We feel strongly about our relationship
with the Alliance. This is one of our ways to provide information on
critical vulnerabilities ahead of the intruder community. We’re not out to
make money. We’re using sponsorship funds from government and industry
partners to help our mission.”
“It’s not wrong for system infrastructure administrators to be made aware
of critical issues. They are exposed and the Internet community depends on
them to maintain security. In some cases, it is correct that they get it
(warnings) ahead of others,” Carpenter said.
He said the purpose of keeping vulnerability information confidential was
to give software vendors a chance to develop patches and give administrators
a chance to defend their systems before intruder community becomes aware of
it. “The alliance is one of our ways of trying to go in that direction.
It’s a non-profit organization with working groups doing a lot of lobbying
on security-related issues,” the CERT/CC manager said.
The IS Alliance’s full membership includes big-name firms like Boeing
, FedEx
, Automatic Data Processing, Corio,
Equant and the Harris Corporation.
For NGSS, an 11-employee firm that published 49 security alerts in 2002,
Litchfield maintains the information should “never be shared” ahead of a
vendor fix being made available. “We don’t know who is getting these early
warnings and, in most cases, they get these alerts before a patch is even
available. We can’t be a party to that,” he argued.
He said NGSS had 28 advisories on hold, six of which CERT/CC was aware
of. “We’re waiting for fixes to be made available and now that we’ve cut
ties with them, it means we will release the information ourselves through
the normal channels,” Litchfield said.The advantages of using the CERT/CC to issue security alerts is to get a
wider distribution base. CERT/CC’s mailing lists and vulnerability archives
are acknowledged as the most comprehensive in the industry and Litchfield
says the “door remains open” for NGSS to repair the relationship.
The quarrel between NGSS and CERT/CC again brings the issue of
vulnerability disclosure to the front burner. The Internet security sector
is polarized on how and when security alerts should be made available and
CERT/CC’s Carpenter said the industry continues to struggle with finding a
comprehensive policy on how disclosures should be made.
“The problem is that you can’t find any policy where there is consensus
agreement. That’s the biggest problem for the industry and I don’t know
there is an answer,” he said.
Even if there is a government mandate, it won’t stop the issue of people
disagreeing with it. I don’t see a short term solution to this
polarization,” Carpenter said, noting that the public discussion about
vulnerability disclosure is a “diversion” to the real issue of vendors
creating stable, reliable software products.
“It would help if we were able to get the vendor community to build
secure software to avoid vulnerabilities in the first place. We should
concentrate on working with the vendors to create better software. That’s
where the real issue is,” Carpenter said.