"Klaus, Chris (ISSAtlanta)" wrote: > > There has been a lot of misinformation spread about our ISS Apache Advisory > and wanted to clean up any confusion and misunderstanding. > > 1) Our policy for publishing advisories is to give a vendor 30 to 45 > day quiet period to provide an opportunity to create a patch or work around. > If an exploit for the vulnerability appears in the wild, or a patch and > work-around is provided by the vendor or ISS X-Force, this quiet period is > disregarded and the ISS X-Force advisory is published immediately. > > In the case of this advisory, ISS X-Force provided an Apache patch and did > not see a need for a long quiet period. Perhaps I miss something here. Did you provide a patch for the RedHat RPM distribution? The Windows 32 binary distribution? The XYZ distro? It is a somewhat myopic view to claim that the availability of a software patch automatically means everyone has the means to apply it. On the one hand, you honor a vendor quiet period. On the other hand, you disregard the purpose of the quiet period: to allow the vendor an opportunity to create a solution CONSUMABLE BY THE END-USERS. > Due to the general nature of open-source and its openness, the virtual > organizations behind the projects do not have an ability to enforce strict > confidentiality. By notifying the open source project, its nature is that > the information is quickly spread in the wild disregarding any type of quiet > period. ISS X-Force minimizes the quiet period and delay of protecting > customers by providing a security patch. You honestly believe that, say, 10 individuals or so within an open source organization have any more or less ability to prevent information dissemination than providing information to a proprietary product vendor? And why is that? Do you know what the vendors' security issue handling procedures are? Open sources'? The fact is, no-one has the ability to encorce strict confidentiality. Tomorrow, if a Unnamed Vendor employee is fired for leaking sensitive information, will you then release an early advisory against the Unnamed Vendor's product because they have shown to have information leakage? Using "this is open source" to support early release is bogus. There certainly may have been some misinformation going about. But if you honestly believe the community using Apache would be served effectively by your patch, then you have a very poor understanding of product usage, IMHO. > > ISS has made these decisions based on our mission to provide the best > security to our customers and being a trusted security advisor. Regrettably, that's not the impression that was left. Thomas Reinke > > > Sincerely, > Christoper W. Klaus > > *********************************************************************** > Christopher W. Klaus > Founder and CTO > Internet Security Systems (ISS) > 6303 Barfield Road > Atlanta, GA 30328 > Phone: 404-236-4051 Fax: 404-236-2637 > web http://www.iss.net > NASDAQ: ISSX > Internet Security Systems ~ The Power To Protect -- ------------------------------------------------------------ E-Soft Inc. http://www.e-softinc.com Publishers of SecuritySpace http://www.securityspace.com Tel: 1-905-331-2260 Fax: 1-905-331-2504 Tollfree in North America: 1-800-799-4831
