Chris Wysopal <cwysopal@atstake.com> writes: > I was not aware of the paid prepublication access that some > coordinators provide at the time the draft was written. I don't know > if Steve knew this. This was an new concept at the time. I have heard > that CERT is willing to keep researcher submissions confidential if > requested. But this is second hand knowledge. Only one (!) FIRST member has responded to an informal request to clarify these issues and assured me that they won't share information before publication. However, they do receive about one request per month for such information (not too surprising considering their position). BTW, have a look at <http://www.itworld.com/Sec/2210/IDG01419cert/> (and look at the publication date). This press article suggests that members of the Internet Security Alliance receive plenty of information. I wonder how many researches who contact CERT/CC have this crucial background information. Unfortunately, the CERT/CC FAQ is open to interpretation -- whether sharing with ISA members is implicit or explicit, mandatory or optional. Half a year ago I was being laughed at when I remarked that a trusted coordinator with a viable business model that does not include paid early access is big problem. *sigh* > There are some organizations that prepublish minimal information > such as the software and version affected by a vulnerability and > perhaps workaround information. This is what ISS does. Their clients are granted access to the full advisory, according to their published policy. But thanks for clarifying that this is just an error in the documentation. :-) > I have heard secondhand that CERT prepublication information is much > more detailed. I could see a market for prepublication exploit code. There is already such a market. Several organizations are buying, and researches are selling. The most visible but still regularly overlooked example is iDEFENSE. (In the past, some vendors even thanked iDEFENSE for responsibly disclosing a vulnerability, even though they didn't receive a single day of advance notice!) There is even a market for post-publication exploit code: Creating IDS signatures and test cases for scanning tools is quite a bit easier if you've got working exploit code. Most of the time, you are lost if you haven't got the source code of the vulnerable software, and even if there is source code, it often contradicts what the vendors tell you, or you have to wade through thousands of lines of patches. Furthermore, considerable expertise in the protocols involved in the issue might be needed. If I were an IDS/network scanner vendor, I'd really try to play the Coordinator role for this reason. Nowadays, you won't get the exploit code from public archives most of time (although you can always ask, but with varying degree of success...).