Smart Partner: Bug Fixes Have No Profit MarginOct 26, 2000, 16:27 (6 Talkback[s])
(Other stories by David Raikow)
"On Oct. 3, the CERT coordination center, a branch of the Software Engineering Institute at Carnegie Mellon University, announced that it would begin regularly issuing detailed reports describing security vulnerabilities in existing software. Under that new policy, CERT will give software vendors a 45-day "grace period" after learning of a bug to investigate the problem and develop patches or workarounds. After 45 days, CERT will release its report, whether a fix is available or not."
"The question of vulnerability disclosure is one of the most hotly debated topics in the network-security community, often arousing the type of emotional response normally reserved for abortion or gun control. Many, particularly among open-source enthusiasts, argue that users and administrators have a right to information about the software running on their machines. It follows that security problems should, therefore, be publicized as widely and in as much detail as possible--including source code demonstrating how to exploit them. Forewarned is, after all, forearmed."
"As one of the few widely trusted and respected players in the security field, CERT now has the opportunity to become a kind of central clearinghouse for vulnerability information, while shaping the standards for responsible disclosure in ways existing mailing lists cannot. The end result could make it a lot easier for the good guys to stay on their toes."