From: Grreth Jeremiah <garrethj(_at_)home(_dot_)com>
...
Given any heterogeneous environment, platform or network, an
administrator/security professional often needs to keep track of
multiple OS bug lists. ...
My suggestion is to create an Internet Database where vendors /
Emergency Response Teams, may put information in a SPECIFIC format
regarding security alerts etc.
...
How is this problem related to the work of the IETF? Isn't the
IETF supposed to be about protocols?
How would this suggestion differ from CERT, besides trivia such as who
sponsors the announcements and pays for the people and computers?
Each vendor could be issued with a bit pattern representing them, and
they may then implement their own bit pattern representing their various
...
Vendors already contact CERT when they discover serious security problems,
and CERT already talks to vendors about reports from the field. They even
use encruption, maintain mutual emergency contact lists, and so forth.
The overall effect would enable automation to be written that could
query this database ( perhaps simple SQL ) and inform you when one of
the products that you manage has a defect of some sort.
If you don't like the serch facility at www.cert.org, why not send
them some suggestions?
Further, it
could be extended to download the fixes identified, even install them.
Somehow, that doesn't sound like a step in the right direction, but
maybe that's merely because third party patch serving schemes have had
such interesting histories.
... Monitoring your emails because you subscribed to
70 different bug-traq esque lists is OK, but an automated alerting
system ( as this could easily become ) would be less infallible ...
If you watch 70 different bug-track lists, then you must like hearing a
lot of noise and nonsense. Most reports of security problems from most
sources are rumors of misunderstood problems or worse. Even CERT is not
immune to the Chicken Little Syndrom.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com