Vendor Vulnerability Release Problem
I attended the ISP Security BoF this evening and listened to Juniper and Cisco defend their positions of determining who gets notifications first. Decent talk. Folks did defend the "you need to reach us" to get the patch method, but some of it was "me too" I'd like to suggest to the Program Committee that a talk related to just this be solicited at the next NANOG and include all of the vendors who want to participate. They did concur that the current system is broken. This is part of the reason I decided to post this. To let everyone know that this is a problem and the vendors agree. I *was disappointed in was the harsh criticism of DHS. The vendors called DHS and the Pentagon the biggest source of leaks related to 'their' security vulnerabilities. I don't know if that's true, but if they are, I hope they're leaking to the right people. Thanks to Juniper and Cisco for holding the talk. -M< -- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 Network Engineer IV Operations & Infrastructure hannigan@verisign.com
Martin/NANOG, from US CERT OP's perspective we would welcome this discussion and want to participate if NANOG can add it to the agenda next go around. Unfortunately I wasn't able to personally participate in this NANOG event but my team was there and we value the feedback that was provided. There are many challenges in when to communicate information, how you can communicate it, and the context in which it is shared not to mention protecting the info. Then you throw into the mix platinum support contracts and it gets even more interesting. Also the complexity goes up based on availability of exploit tools & ability to carry out an exploit based on open source instructions found online which also affects disclosure policy and ability to get information to those infrastructure owners to protect themselves which sometimes might be a mitigation strategy other than a patch or upgrade which might or not be available. To further add to the complexity would be cyber threat information which would also play a role in criticality of a vuln and when & how to communicate it in collaboration with the vendor. Also a key driver in the vuln disclosure execution is the reporting vector; 1. Was it reported directly to vendor from discoverer? 2. Was it reported to a National Level CERT via private or government channels? 3. Did vendor discover it through their own QA? In short, we're very interested participating in improving the overall process or at least contributing to it. I'm glad folks we're not shy about sharing their thoughts with my team ;) Cheers, Jerry jerry.dixon@us-cert.gov or jerry@jdixon.com -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Hannigan, Martin Sent: Tuesday, February 01, 2005 1:18 AM To: 'nanog@merit.edu' Subject: Vendor Vulnerability Release Problem I attended the ISP Security BoF this evening and listened to Juniper and Cisco defend their positions of determining who gets notifications first. Decent talk. Folks did defend the "you need to reach us" to get the patch method, but some of it was "me too" I'd like to suggest to the Program Committee that a talk related to just this be solicited at the next NANOG and include all of the vendors who want to participate. They did concur that the current system is broken. This is part of the reason I decided to post this. To let everyone know that this is a problem and the vendors agree. I *was disappointed in was the harsh criticism of DHS. The vendors called DHS and the Pentagon the biggest source of leaks related to 'their' security vulnerabilities. I don't know if that's true, but if they are, I hope they're leaking to the right people. Thanks to Juniper and Cisco for holding the talk. -M< -- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 Network Engineer IV Operations & Infrastructure hannigan@verisign.com
participants (2)
-
Hannigan, Martin
-
Jerry Dixon