North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Vendor Vulnerability Release Problem

  • From: Hannigan, Martin
  • Date: Tue Feb 01 01:19:31 2005

I attended the ISP Security BoF this evening and listened to Juniper
and Cisco defend their positions of determining who gets notifications
first. Decent talk. Folks did defend the "you need to reach
us" to get the patch method, but some of it was "me too"

I'd like to suggest to the Program Committee that a talk related to just
this be solicited at the next NANOG and include all of the vendors who
want to participate. 

They did concur that the current system is broken. This is part of the
reason I decided to post this. To let everyone know that this is a
problem and the vendors agree.

I *was disappointed in was the harsh criticism of DHS. The vendors called
DHS and the Pentagon the biggest source of leaks related to 'their' security

vulnerabilities. I don't know if that's true, but if they are, I hope 
they're leaking to the right people. 

Thanks to Juniper and Cisco for holding the talk. 


Martin Hannigan                         (c) 617-388-2663
VeriSign, Inc.                          (w) 703-948-7018
Network Engineer IV                       Operations & Infrastructure
[email protected]