U.S. centre steps up disclosure of security holes

Carnegie Mellon University’s CERT Coordination Center security advisory service Monday instituted a new policy under which it plans to publicly disclose all software flaws and vulnerabilities 45 days after they’re first reported to the organization – regardless of whether the problems have been fixed by the vendors whose products are affected by the security holes.

The policy builds on CERT’s usual practice of issuing periodic security advisories to its clients. Until now, such advisories have been restricted to vulnerabilties that the center considers to be particularly serious and in need of immediate attention by users. But as part of the new policy, CERT now will start issuing what are expected to be far more frequent “vulnerability reports” on all security problems that are reported to the center and are verifiably true.

CERT, which posted the details of the new policy on its Web site last week, said it will continue to pass on all relevant information about a specific security problem to the appropriate software vendor before making any public disclosures.

But after 45 days, the information will be released to the public along with any available fixes and workarounds that users can implement. Information about vulnerabilities that are considered particularly serious, or that would be easy for malicious attackers to exploit, will be released even earlier if the situation warrants an accelerated disclosure, said CERT member Shawn Hernan in an interview today.

The idea is to provide software users with responsible, qualified disclosures while still giving vendors a reasonable amount of time to plug security holes, Hernan said. “The policy is really an attempt to balance the needs of the vendors with those of the general public,” he added.

Meanwhile, the more selective security advisories that CERT currently issues will continue to be restricted to the most serious security problems and should be released at about the same pace as they are now, according to Hernan. CERT issued 17 advisories last year and has released about the same number so far this year. “When someone receives a CERT advisory, we want them to take it very seriously,” he said.

CERT’s plan to start making more frequent disclosures of software vulnerabilities comes at a time when some security experts are questioning the wisdom of releasing such information before vendors have a chance to fix the holes.

During a keynote speech at July’s Black Hat Briefings security conference in Las Vegas, for example, security researcher Marcus Ranum charged that the full-disclosure approach isn’t improving computer security. Instead, Ranum said, it’s only encouraging more attacks – a contention that was challenged by other conference attendees.

CERT will try to publish reports about as many vulnerabilities as necessary under its new policy, Hernan said. But in an attempt to minimize the possibility of attacks resulting from the disclosures, he added, the organization doesn’t plan to publicly disclose any information that could be used by malicious hackers to exploit security holes.

CERT’s change in policy is a step in the right direction, said Ryan Russell, an MIS manager at SecurityFocus.com, a rival online bulletin board and security portal based in San Mateo, Calif. Last year, the SecurityFocus site posted a total of 575 vulnerabilty reports.

“I’m firmly in the full-disclosure camp,” Russell said. Giving users as much detailed information about vulnerabilities as quickly as possible helps companies take appropriate action to mitigate risks and protect themselves from attacks, he added.