“On Oct. 3, the CERT coordination center, a branch of the
Software Engineering Institute at Carnegie Mellon University,
announced that it would begin regularly issuing detailed reports
describing security vulnerabilities in existing software. Under
that new policy, CERT will give software vendors a 45-day “grace
period” after learning of a bug to investigate the problem and
develop patches or workarounds. After 45 days, CERT will release
its report, whether a fix is available or not.”
“The question of vulnerability disclosure is one of the most
hotly debated topics in the network-security community, often
arousing the type of emotional response normally reserved for
abortion or gun control. Many, particularly among open-source
enthusiasts, argue that users and administrators have a right to
information about the software running on their machines. It
follows that security problems should, therefore, be publicized as
widely and in as much detail as possible–including source code
demonstrating how to exploit them. Forewarned is, after all,
forearmed.”
“As one of the few widely trusted and respected players in
the security field, CERT now has the opportunity to become a kind
of central clearinghouse for vulnerability information, while
shaping the standards for responsible disclosure in ways existing
mailing lists cannot. The end result could make it a lot
easier for the good guys to stay on their toes.”