Linux Today: Linux News On Internet Time.

CERT defends vulnerability info restrictions

Apr 26, 2001, 03:49 (5 Talkback[s])
(Other stories by Thomas C. Greene)

"The long-debated question of whether software and network vulnerability data should be shared freely and immediately re-surfaced recently, as Carnegie Mellon University's CERT Coordination Center (CERT/CC), formerly the Computer Emergency Response Team (CERT), announced hooking up with a private-industry organization called the Internet Security Alliance to make its advance alerts and vulnerability database immediately available to members."

"Several press reports have suggested that the publicly-funded CERT/CC will be making its database available to those willing to pony up anywhere between $2,500 and $50,000 annually for some manner of subscription service, but this isn't quite right. CERT/CC won't be collecting money directly in exchange for services; the costs cited are actually the ISA membership fees, which vary according to the size of the company seeking to join."

"ISA member companies, which include NASDAQ, Mellon Financial Services, AIG, TRW and VeriSign, will have access to the CERT/CC database, or Vulnerability Catalog as it's called, via a secure distribution network, so long as they're willing to sign and abide by a non-disclosure agreement. Members will also receive advance vulnerability reports, and have the opportunity to share such information with one another in confidence."

Complete Story