"David Litchfield" <david@ngssoftware.com> writes: > With more people and organisations doing security research, perhaps it is > time for a Vulnerability Co-ordinator Center (a VCC) - some trusted third > party like an off-shoot of CERT. I know this is not a new idea and one which > has been brought up before but one I think should perhaps be discussed again > and acted upon. I'm not sure if we should condemn ISS for their alleged wrongdoing. If two teams independently discover the same vulnerability in the same timeframe, it is not such a bad idea to go ahead and publish because you have to assume that pretty soon, irresponsible parties discover it, too. An aspect that's interesting, too: Should eEye/Microsoft have contacted the Apache developers prior to the publication of their patch/advisories? > When a vendor is alerted the VCC is CC'd (pun not intentional) and this way > a co-ordinated full alert can go out when the time is right. Well, I'm constantly being told that nowadays, handling security issues requires a business model, and so we are facing questions whether the VCC may sell early access to its data etc. Personally, I expect that such a VCC is just another institution to which you can pay money in order to receive prepublication access about security issues. -- Florian Weimer Weimer@CERT.Uni-Stuttgart.DE University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898
