mailing list archives
Re: ISS Apache Advisory Response
From: Thomas Reinke <reinke () e-softinc com>
Date: Fri, 21 Jun 2002 16:05:29 -0400
"Klaus, Chris (ISSAtlanta)" wrote:
There has been a lot of misinformation spread about our ISS Apache Advisory
and wanted to clean up any confusion and misunderstanding.
1) Our policy for publishing advisories is to give a vendor 30 to 45
day quiet period to provide an opportunity to create a patch or work around.
If an exploit for the vulnerability appears in the wild, or a patch and
work-around is provided by the vendor or ISS X-Force, this quiet period is
disregarded and the ISS X-Force advisory is published immediately.
In the case of this advisory, ISS X-Force provided an Apache patch and did
not see a need for a long quiet period.
Perhaps I miss something here. Did you provide a patch for the
RedHat RPM distribution? The Windows 32 binary distribution? The
XYZ distro? It is a somewhat myopic view to claim that the
availability of a software patch automatically means everyone has
the means to apply it. On the one hand, you honor a vendor quiet
period. On the other hand, you disregard the purpose of the quiet
period: to allow the vendor an opportunity to create a solution
CONSUMABLE BY THE END-USERS.
Due to the general nature of open-source and its openness, the virtual
organizations behind the projects do not have an ability to enforce strict
confidentiality. By notifying the open source project, its nature is that
the information is quickly spread in the wild disregarding any type of quiet
period. ISS X-Force minimizes the quiet period and delay of protecting
customers by providing a security patch.
You honestly believe that, say,
10 individuals or so within an open source organization have any
more or less ability to prevent information dissemination than
providing information to a proprietary product vendor? And why
is that? Do you know what the vendors' security issue handling
procedures are? Open sources'? The fact is, no-one has the ability
to encorce strict confidentiality. Tomorrow, if a Unnamed Vendor
employee is fired for leaking sensitive information, will you
then release an early advisory against the Unnamed Vendor's product
because they have shown to have information leakage? Using "this is
open source" to support early release is bogus.
There certainly may have been some misinformation going about.
But if you honestly believe the community using Apache would be
served effectively by your patch, then you have a very poor
understanding of product usage, IMHO.
ISS has made these decisions based on our mission to provide the best
security to our customers and being a trusted security advisor.
Regrettably, that's not the impression that was left.
Christoper W. Klaus
Christopher W. Klaus
Founder and CTO
Internet Security Systems (ISS)
6303 Barfield Road
Atlanta, GA 30328
Phone: 404-236-4051 Fax: 404-236-2637
Internet Security Systems ~ The Power To Protect
E-Soft Inc. http://www.e-softinc.com
Publishers of SecuritySpace http://www.securityspace.com
Tel: 1-905-331-2260 Fax: 1-905-331-2504
Tollfree in North America: 1-800-799-4831