Florian Weimer wrote:
However, this is now a strawman. The document has clearly been
overtaken by events (if it has ever been up-to-date). For example, it
ignores that currently, those people who are expected to play the role
of Coordinators usually provide paid prepublication access to
vulnerability information. The draft does not require Coordinators to
keep the information they receive strictly confidental, but I'm not
sure if this was the intent of the authors or just an oversight.
I was not aware of the paid prepublication access that some coordinators
provide at the time the draft was written. I don't know if Steve knew
this. This was an new concept at the time. I have heard that CERT is
willing to keep researcher submissions confidential if requested. But
this is second hand knowledge.
To clarify the draft, it was not our intention to delve too deeply into
standardizing coordinator behavior since the issues are many. We also
scoped the document to not touch the issue of disclosure content.
My thoughts on coordinator behavior would be to keep the information
confidential amongst researcher, coordinator, and potentially affected
vendors. Every party that receives prepublication information increases
the the risk to the Internet as a whole while decreasing it for the
party. Information is bound to leak as more parties are added to the
prepublication list.
Prepublication is not a black or white issue. There are some
organizations that prepublish minimal information such as the software
and version affected by a vulnerability and perhaps workaround
information. This is what ISS does. I have heard secondhand that CERT
prepublication information is much more detailed. I could see a market
for prepublication exploit code. There is also the issue of what kind of
organizations are allowed to join a prepublication group and what are
the contractual limits of what they can do with the information they
receive. For instance, can a security consulting company subscribe to
the prepublication group and then use the information to protect their
customers? There are many nuances once you allow prepublication.
Cheers,
Chris