---

CERT defends vulnerability info restrictions

“The long-debated question of whether software and network
vulnerability data should be shared freely and immediately
re-surfaced recently, as Carnegie Mellon University’s CERT
Coordination Center (CERT/CC), formerly the Computer Emergency
Response Team (CERT), announced hooking up with a private-industry
organization called the Internet Security Alliance to make its
advance alerts and vulnerability database immediately available to
members.”

Several press reports have suggested that the
publicly-funded CERT/CC will be making its database available to
those willing to pony up anywhere between $2,500 and $50,000
annually for some manner of subscription service, but this isn’t
quite right.
CERT/CC won’t be collecting money directly in
exchange for services; the costs cited are actually the ISA
membership fees, which vary according to the size of the company
seeking to join.”

“ISA member companies, which include NASDAQ, Mellon Financial
Services, AIG, TRW and VeriSign, will have access to the CERT/CC
database, or Vulnerability Catalog as it’s called, via a secure
distribution network, so long as they’re willing to sign and abide
by a non-disclosure agreement. Members will also receive advance
vulnerability reports, and have the opportunity to share such
information with one another in confidence.”

Complete
Story

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis