A long-simmering dispute between the CERT Coordination Centre and vulnerability research companies has boiled over with Next Generation Security Software (NGSS) announcing it has severed its relationship with CERT.
NGSS claimed that the government-sponsored Internet security reporting centre passed vulnerability information to third parties.
The dispute between NGSS and CERT arose over a batch of six software vulnerabilities that NGSS shared with CERT at the same time as it disclosed them to the affected software vendor, co-founder of NGSS, Mark Litchfield, said.
Before a patch was issued or the public notified about the vulnerability, the affected software vendor was approached by two government agencies concerning the undisclosed vulnerability. Those agencies said that CERT had informed them about the flaw, Litchfield said.
CERT's vulnerability disclosure policy, which is posted on its Web site, clearly states that the organisation distributes vulnerability information prior to public disclosure. Recipients of that information include CERT sponsors, software vendors not affected by the vulnerability, members of the Internet Security Alliance and owners of critical infrastructure, according to information on the site.
Litchfield said that he was not fully aware of the disclosure policy and had not carefully read the information posted on the CERT Web site.
"Not everyone reads every word on a Web site," Litchfield said.
He was still upset by the CERT policy, especially the disclosure of information to members of the Internet Security Alliance (ISAlliance), a public-private trade group.
"I saw it as a betrayal in trust," Litchfield said. "My expectation was that we'd let CERT know about it so that they'd do their own internal research on the issue, do further checks, then write their own advisory and publish it."
An effort to have CERT sign a non-disclosure agreement with NGSS in exchange for continued vulnerability reports was rebuffed, he said.
"As a policy, we've decided that it's not in the public interest to hide vulnerability information from people who need that to defend critical infrastructure," manager of the CERT Coordination Centre in Pittsburgh, Jeffrey Carpenter, said.
While companies such as NGSS profited from the vulnerabilities they discovered, CERT had a greater mission to serve the Internet community by passing along vulnerability information to affected companies, Carpenter said.
However, Litchfield said that by sharing information with the dues-paying members of the ISAlliance, CERT was going beyond its duty to notify affected organisations. Instead, CERT was essentially selling an early look at vulnerability information to third parties, some of which were potential NGSS competitors.
CERT denied any conflict of interest between its role as an independent reporting organisation and its practice of disclosing vulnerability information to ISAlliance members and the US government.
Carpenter said many ISAlliance members were critical infrastructure owners, including financial institutions, telecommunications companies and software vendors, though membership was not limited to such organisations.
In addition, a strict security screening process and non-disclosure policy prevented ISAlliance members from circulating the vulnerability information they received from CERT outside of their organisation, deputy executive director and operations officer of the ISAlliance, Larry Clinton, said.
In theory, that should keep information that was confidentially disclosed to CERT from being spread by other companies. However, most security companies are not taking any chances.
"When the ISAlliance was formed, a big part of the value of that was its relationship with CERT and that if you joined you got detailed vulnerability information," director of research and development at @stake, Chris Wysopal, said.
"From that point on, most of the people I talk to, other security researchers at other companies, decided not to give any information to CERT unless they needed help (disseminating it)."
Wysopal said NGSS' announcement regarding CERT, while more public, was not an uncommon position in the security community.
"What we have done, because we are a small company with limited resources, is to contact CERT only with widespread issues," he said.
Litchfield said that NGSS had not decided whether it would use CERT to disseminate information about widespread vulnerabilities.
The rift between the security researchers and CERT could threaten to make the reporting organisation irrelevant, Wysopal said. Compared with the period before the announcement of the ISAlliance relationship, recent CERT alerts were based more often on information publicly available elsewhere than on information disclosed exclusively to CERT.
The loss of information from NGSS will be sorely felt. The company's researchers found a number of high-profile software vulnerabilities in recent years including the Microsoft SQL Server vulnerability recently exploited by the Slammer worm. NGSS shared a number of those vulnerabilities with CERT at the same time they were disclosed to the affected software vendor.
CERT offered little comment on the NGSS decision to stop reporting vulnerabilities.
"That's their decision to make," Carpenter said.
CERT, which receives funding from the US Department of Defence, has been under pressure from the US Federal Government in recent years to increase its interactions with the private sector and to get help funding its operation.
CERT's response was to partner with the Electronic Industries Alliance, a federation of trade associations, and form the ISAlliance.
"The ISAlliance was formed to promote security improvement across the Internet and to enable CERT to provide important information to critical infrastructure operators within the private sector." CERT said in a statement. "The funds that CERT receives from the ISAlliance directly support this interaction."
At the same time as it has had to look for private sector help, however, the organisation has had to keep up with an ever-increasing number of software vulnerabilities and high-profile attacks stemming from those vulnerabilities.
CERT recorded just over 9800 incidents in 1999. By 2002, that number had grown to more than 82,000 separate incidents.
"We do the best we can with the funding we have. We'd always like to have more," manager of communications at CERT, William Pollak, said.
While not opposed to private funding of CERT, per se, security researchers would like to see CERT find a way to fund its operations that does not conflict with its mission as an independent reporting body. One way might be for CERT to use its research talent and established vulnerability rating and publishing system to analyse, package and distribute vulnerability information after it has been publicly released.
"They have a good methodology for creating a risk rating and doing the formatting and analysis," Wysopal said. "They could be a third party between the vendor and the researcher and could sell that extra information."
Litchfield praised CERT for the work that it had done publicising vulnerability information, especially in cases where vulnerability affected a wide array of products.
However, security researchers needed to be better informed about how vulnerability information would be handled when they gave it to CERT, he said.
"My basic concern was to make sure other independent researchers are aware that this is CERT's policy, because we weren't aware," Litchfield said. "If someone had made us aware, we would have stopped informing CERT ages ago."