At 6:06 PM -0400 6/20/02, Klaus, Chris (ISSAtlanta) wrote: >In the case of this advisory, ISS X-Force provided an Apache patch and did >not see a need for a long quiet period. I do not believe that there are any circumstances in which a non-vendor provided patch can be considered equivalent to a quiet period. The belief that you can just issue a patch and consider the problem solved shows a complete lack of understanding for the software development process. Review, testing, and QA are all part of that process--a third party patch is no substitute for those. And no security researcher can claim to have a better understanding of the ramifications of a problem than the vendor. This behavior also completely ignores the fact that even for Open Source software there is an issue of binary-only distributors who need to be given a heads-up. >Due to the general nature of open-source and its openness, the virtual >organizations behind the projects do not have an ability to enforce strict >confidentiality. By notifying the open source project, its nature is that >the information is quickly spread in the wild disregarding any type of quiet >period. ISS X-Force minimizes the quiet period and delay of protecting >customers by providing a security patch. You're kidding, right? "We had to make it public because we didn't trust the vendor to keep it secret"? I expected an apology from you--not a an attempt to justify your behavior. Some people just don't know how to say, "Oops, I was wrong." I see absolutely no reason that notification of open-source projects should follow rules any different than those for closed-source projects. The only time you should issue a patch without prior notification is if there is no known maintainer for the software--and even then it would be wise to run the patch by other people who use the software first. ISS's behavior here has been completely irresponsible, and has potential to seriously damage the reputation of the Apache software. And as one of the thousands of system administrators currently scrambling to update multiple servers on multiple platforms scattered on hosting providers around the world, I sincerely hope that ISS will retract this new definition of "quiet period" that they have invented. -- Kee Hinckley - Somewhere.Com, LLC http://consulting.somewhere.com/ I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's.
