mailing list archives
Re: Remote Compromise Vulnerability in Apache HTTP Server
From: Florian Weimer <Weimer () CERT Uni-Stuttgart DE>
Date: Tue, 18 Jun 2002 07:29:58 +0200
"David Litchfield" <david () ngssoftware com> writes:
With more people and organisations doing security research, perhaps it is
time for a Vulnerability Co-ordinator Center (a VCC) - some trusted third
party like an off-shoot of CERT. I know this is not a new idea and one which
has been brought up before but one I think should perhaps be discussed again
and acted upon.
I'm not sure if we should condemn ISS for their alleged wrongdoing.
If two teams independently discover the same vulnerability in the same
timeframe, it is not such a bad idea to go ahead and publish because
you have to assume that pretty soon, irresponsible parties discover
An aspect that's interesting, too: Should eEye/Microsoft have
contacted the Apache developers prior to the publication of their
When a vendor is alerted the VCC is CC'd (pun not intentional) and this way
a co-ordinated full alert can go out when the time is right.
Well, I'm constantly being told that nowadays, handling security
issues requires a business model, and so we are facing questions
whether the VCC may sell early access to its data etc.
Personally, I expect that such a VCC is just another institution to
which you can pay money in order to receive prepublication access
about security issues.
Florian Weimer Weimer () CERT Uni-Stuttgart DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898