Security group issues ultimatum for bug patches
An influential computer security group institutes a new policy that gives software companies just 45 days to fix security flaws before it goes public with reported defects.
The Computer Emergency Response Team (CERT) at Carnegie Mellon University said it will begin to publicly disclose software vulnerabilities after the deadline period regardless of the existence or availability of patches or workarounds from affected companies. Previously CERT did not disclose such vulnerabilities.
The policy, announced last week, took effect Monday.
CERT's decision to go public with unsolved security flaws could significantly influence a longtime debate about the best way to disclose software vulnerabilities. While some well-known bug hunters give companies just a few hours notice before publicly disclosing an exploit, many prefer to work quietly with software companies to fix the problem and then announce the patch instead of just a hole.
Experts said CERT's policy shift follows a trend toward full disclosure, although CERT couched its new stance as taking a middle ground.
"This is a way for us to affect some change in the way vulnerabilities are disclosed," said Cory Cohen, a CERT security team member. "We see it as a middle-of-the-road decision. We won't disclose exploits...We will disclose information about vulnerabilities to inform the public and give vendors a set time frame to release a patch."
Software makers and security companies that prefer to keep the public out of the security loop argue that openly discussing vulnerabilities gives hackers a dangerous source of information on new exploits. Such flaws should not be disclosed, they say, until after the software maker has released a patch for the problem.
Others, who believe that public discussion offers the better course, have established closely watched security forums, such as BugTraq, where flaws and exploits are openly dissected.
Exploits are source codes that illustrate how any programmer could take advantage of a vulnerability, something Cohen said the new policy will not disclose.
Cohen added that the goal of the policy is to balance the need of the public to be informed of security vulnerabilities with the companies' need for time to respond effectively. CERT anticipates the first information released under the new policy will be available around Nov. 20.
Security experts said it is unclear if CERT's decision to opt for openness is sufficient to change the way companies disclose their own software security information.
"This is a step in the right direction," said Elias Levy, chief technology officer for SecurityFocus.com and moderator of the BugTraq mailing list. "But only time will tell how things will be done industrywide. This definitely is a shift in the debate, though, because CERT is a significant" organization in the security community.