Internet security vulnerabilities: To disclose or not to disclose?

Should CERT and other Internet security groups reveal security vulnerabilities before contacting the software vendor? According to an Internet security and privacy expert, some companies may be getting inside information.

By Jonathan Yarden

There has been a rather vicious debate raging in public discussion forums and Usenet for the past several years concerning the disclosure of Internet security risks. The core issue is whether the public has the right to be informed about security risks in software, specifically Internet software. Basically, there are two choices: disclose information publicly or not. Although this is a touchy subject to tackle, I felt compelled by recent news accounts to revisit the issue.

Proponents of public disclosure of Internet security risks list numerous reasons why they feel it's a good idea—the main reason is people would be aware of what problems exist. This argument assumes that providing Internet security risk information publicly would allow people to make their own assessments and take the necessary action. This reasonable approach is one that the open source community has followed for quite a few years. Security is an important facet of open source and public dissemination of security risks, and sharing information leads to better, more reliable software. (At least that's the idea.)

On the other hand, there are just as many reasons why others, including commercial software companies, don't want security risks to be made public.

I believe that disclosing vulnerabilities in commercial software publicly before notifying the software company is irresponsible. The software company should be given the opportunity to come up with a patch or workaround before a vulnerability is disclosed. Even though publicly reporting about Internet security risks makes for good headlines, it can damage customer confidence and impact sales by commercial software companies.

Want more on Internet security?
Subscribe now to our Internet Security Focus TechMail to receive news in your inbox.

Whatever your stance is on the issue, I feel fairly certain that anyone who uses Internet software would like to know if the software is secure. For commercial Internet software, you pretty much have to have faith that your software is robust and doesn't contain any vulnerabilities. If you're using open source software, you'll need to make the same assumptions (often unwittingly). While you may have skilled employees who can review the C code for buffer overflows and logic bombs, remember that the "bad guys" have the source code too.

CERT's disclosure policy
The organization CERT has been around since 1988 when the Morris Worm choked about one out of every 10 Sendmail hosts on the Internet. (Although the name CERT actually doesn't stand for anything anymore, CERT was originally an acronym for "compute emergency response team.") After seeing an immediate need for a centralized, organized system for tracking and reporting computer security risks, the U.S. Department of Defense funded the fledgling CERT organization and established the CERT Coordination Center at the Carnegie-Mellon Software Engineering Institute.

CERT posts information daily about Internet security vulnerabilities, offers solutions about how to handle these issues when possible, works with security experts to recognize problems, and more. If you want to report information about an Internet security issue, submit the pertinent information to the CERT Web site.

CERT has also played a pivotal role in providing timely and important Internet security information since its formation. The idea being that an open and public exchange is beneficial to everyone using the Internet. However, CERT has received some criticism recently for changing its vulnerability disclosure policy. A new policy that went into effect in Oct. 9, 2000, states that CERT is not to disclose vulnerabilities to the "general public" for 45 days. CERT justifies the policy change by stating that publication of a vulnerability before notifying the software vendor and giving them time to fix their product is irresponsible.

Here is the problem with this policy: CERT is part of the organization called the Internet Security Alliance (ISA), and corporations that pay to join ISA get "up to the minute" access to reported vulnerabilities and other security risks. These member corporations can also distribute CERT advisories depending on the type of membership. So basically, if you pay to be a member, you—and the vendor of the product—will receive notification of vulnerabilities before the general public is notified. This "inside information" can be quite valuable for ISA members engaged in Internet security with products or services. These for-profit companies know in advance when there is a vulnerability and can utilize that information to their advantage—at the expense perhaps of companies that are not ISA members.

In my opinion, it appears as though CERT has fallen victim to the whim of special interest groups like the ISA. Does it strike anyone else as odd that the founding members of the ISA include for-profit Internet security companies, such as Verisign, Exodus Communications, and Guardent? This is a sad state of affairs indeed.

Jonathan Yarden, contributing writer for TechRepublic's Internet Security Focus TechMail, is the senior UNIX system administrator and network security manager at a regional ISP. He is also the senior software architect there.

What’s your take?
Does the public have a right to know about security vulnerabilities? Do you agree with the author that special interest groups may be influencing CERT? Post your comments below.


Editor's Picks

Free Newsletters, In your Inbox