Vulnerability Coordination

["David Litchfield" <david () ngssoftware com>]

Wow. What an interesting set of colourful responses I got after suggesting
the creation of a vulnerability coordination centre. This is obviously
something that people feel very strongly about and the general perception I
get is that such a group would be something to fear like Big Brother.

What is being suggested is the creation of, not some Orwellian entity
designed to control release of security information, but a body of trust,
based upon cooperation, to work towards the timely and safe announcement of
new vulnerabilities. For example, I have a good relationship with a number
of security researchers to the extent where we can quite happily exchange
new vulnerability information between ourselves because there is a bond of
trust. I know they will not abuse the information I have given them and,
likewise, they know I will not abuse the information they have given me.
What we have here is a working model of such a platform. When I alert a
vendor to a bug, I can ask these guys if they've done any similar work. Fine
on a small scale but in the larger more 'real' world?

Here's how I would see a typical scenario for a VCC.

Security Researcher Harry finds a vulnerability in vendor X's software so he
alerts X and VCC. Security Researcher Ron also discovers a vulnerability in
the same product and tells X and VCC. Neville, who is a volunteer at VCC,
looks at both vulnerability reports and ascertains that Harry and Ron have
found two seperate vulnerabilities and performs no action. But later on in
the month, Hermione, who has also been looking been looking at the product
from X also notes a vulnerability. On alerting X and VCC, Neville and the
security contact at X can both tell Hermione that she has discovered what
Harry has already discovered. Neville can also let Hermione know what the
current plan for releasing an advisory is. This way both Hermione and Harry
can get the credit for the discovery and the general public are alerted when
a patch has been made available and so everyone wins. Where the strength of
the VCC comes in to play is where the vendor neglects to tell the later
researcher that the problem has been discovered before. What's also
important to not is that just because VCC has been given this information
doesn't mean they go giving it to anyone that asks - hence the NOP with
Harry and Ron. You only get this kind of situation when trust has been built
up, though.

Assume such an organization did exist. No one would be forced to join the
group, no one would be forced to adhere to any guidelines - it's not about
control but about collective cooperation. CERT is the perfect organization
for this kind of thing. Some have asked though, "Why should I trust CERT"
and the answer is, of course, "You don't have to." For those that do trust
CERT, however and want to get involved then go ahead.

(I know it sort of seems like I'm volunteering CERT to do the job, here, on
their behalf but I'm only using them as an example organization that would
suit such a role.)


The bottom line is those that thinks it's a good idea - get behind it. Those
that think it sucks - well - just keep on doing what you're doing already.

Here's what I'mm going to do in the interim. Every time I alert a vendor to
a vulnerability I'll send a note to CERT and CVE at the same time. I,
personally, trust them and until they do something to the contrary they will
keep my trust. I'd suggest to others that may think this is a good idea to
do likewise. You never know something useful might come out of all of this
;-)

Longer term, what I'd like to see is organizations like CERT and CVE
publishing a seperate e-mail address to be used for such things - of course
that's their call though.

Cheers,
David Litchfield
Next Generation Security Software Ltd
http://www.ngssoftware.com/
+44(0)208 401 0070