North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Vendor Vulnerability Release Problem

  • From: Jerry Dixon
  • Date: Tue Feb 01 14:05:09 2005

Martin/NANOG, from US CERT OP's perspective we would welcome this discussion
and want to participate if NANOG can add it to the agenda next go around.
Unfortunately I wasn't able to personally participate in this NANOG event
but my team was there and we value the feedback that was provided.

There are many challenges in when to communicate information, how you can
communicate it, and the context in which it is shared not to mention
protecting the info.  Then you throw into the mix platinum support contracts
and it gets even more interesting. Also the complexity goes up based on
availability of exploit tools & ability to carry out an exploit based on
open source instructions found online which also affects disclosure policy
and ability to get information to those infrastructure owners to protect
themselves which sometimes might be a mitigation strategy other than a patch
or upgrade which might or not be available.  To further add to the
complexity would be cyber threat information which would also play a role in
criticality of a vuln and when & how to communicate it in collaboration with
the vendor. 

Also a key driver in the vuln disclosure execution is the reporting vector;

1.  Was it reported directly to vendor from discoverer?
2.  Was it reported to a National Level CERT via private or government
3.  Did vendor discover it through their own QA? 

In short, we're very interested participating in improving the overall
process or at least contributing to it. I'm glad folks we're not shy about
sharing their thoughts with my team ;)  



[email protected] or [email protected]


-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
Hannigan, Martin
Sent: Tuesday, February 01, 2005 1:18 AM
To: '[email protected]'
Subject: Vendor Vulnerability Release Problem

I attended the ISP Security BoF this evening and listened to Juniper and
Cisco defend their positions of determining who gets notifications first.
Decent talk. Folks did defend the "you need to reach us" to get the patch
method, but some of it was "me too"

I'd like to suggest to the Program Committee that a talk related to just
this be solicited at the next NANOG and include all of the vendors who want
to participate. 

They did concur that the current system is broken. This is part of the
reason I decided to post this. To let everyone know that this is a problem
and the vendors agree.

I *was disappointed in was the harsh criticism of DHS. The vendors called
DHS and the Pentagon the biggest source of leaks related to 'their' security

vulnerabilities. I don't know if that's true, but if they are, I hope
they're leaking to the right people. 

Thanks to Juniper and Cisco for holding the talk. 


Martin Hannigan                         (c) 617-388-2663
VeriSign, Inc.                          (w) 703-948-7018
Network Engineer IV                       Operations & Infrastructure
[email protected]