It looks like CERT continues to lose friends. There have always been disputes about CERT and its role which have ranged in depth and breadth to the point of becoming this century's dispute on the sex of angels (This is not the so-called palamite controversy regarding, amongst other things, the divine essence of angels).
One of the many issues has been that of CERT witholding information and waiting for all the vendors to come up with an answer before publishing anything. The argument in favour goes something along the lines of: "we are giving the vendors the best possible chance of issuing fixes for the vulnerability". The counter-argument is: "the baddies already have the code, by witholding the information you are giving them time to scourge the helpless Internet" (my dramatisation of the issue, of course).
The argument this time revolves around CERT funding (An oldish rant comes from attrition.org) with the latest spat being in relation to "free riding" on other people's research. The point being made is that when CERT obtains vulnerabilities it sends information off to paying customers first and then follows the prescribed "wait for vendors" dance before releasing their bulletin to the wide world.
So, the reasoning goes, if I do all the research for free and send it off to CERT only for them to make money out of it then I might as well just not send it, publish on Bugtraq and be famous.
Might it not be the case for trying to build better cooperation, perhaps creating something which renders CERT obsolete rather than fighting? Just who exactly benefits from these quarrels? Somehow I doubt it is the "helpless Internet".
Consider taking the constructive side of the argument.
Posted by arrigo at January 29, 2003 04:26 PM