A long-simmering dispute between the CERT Coordination Center and vulnerability research companies flared into public view Monday when Next Generation Security Software Ltd. (NGSS) announced it is severing its relationship with CERT, saying that the government-sponsored Internet security reporting center passed vulnerability information to third parties.
The dispute between NGSS and CERT arose over a batch of six software vulnerabilities that NGSS shared with CERT at the same time as it disclosed them to the affected software vendor, according to Mark Litchfield, cofounder of NGSS, which is based in Sutton, England.
Before a patch was issued or the public notified about the vulnerability, the affected software vendor was approached by two government agencies concerning the undisclosed vulnerability. Those agencies said that CERT had informed them about the flaw, according to Litchfield.
CERT's vulnerability disclosure policy, which is posted on its Web site, clearly states that the organization distributes vulnerability information prior to public disclosure. Recipients of that information include CERT sponsors, software vendors not affected by the vulnerability, members of the Internet Security Alliance and owners of critical infrastructure, according to the CERT Web site.
Litchfield acknowledges that he was not fully aware of the disclosure policy and hadn't carefully read the information posted on the CERT Web site.
"Not everyone reads every word on a Web site," Litchfield said.
Still, the CERT policy, especially the disclosure of information to members of the Internet Security Alliance (ISAlliance), a public-private trade group, rubbed Litchfield the wrong way.
"I saw it as a betrayal in trust. My expectation was that we'd let CERT know about it so that they'd do their own internal research on the issue, do further checks, then write their own advisory and publish it," Litchfield said.
An effort to have CERT sign a nondisclosure agreement with NGSS in exchange for continued vulnerability reports was rebuffed, Litchfield said.
"As a policy, we've decided that it's not in the public interest to hide vulnerability information from people who need that to defend critical infrastructure," said Jeffrey Carpenter, manager of the CERT Coordination Center, which is at the Software Engineering Institute at Carnegie Mellon University in Pittsburgh.
While companies such as NGSS profit from the vulnerabilities they discover, CERT has a greater mission to serve the Internet community by passing along vulnerability information to affected companies, Carpenter said.
But by sharing information with the dues-paying members of the ISAlliance, CERT is going beyond its duty to notify affected organizations, Litchfield contends. Instead, CERT is essentially selling an early look at vulnerability information to third parties, some of which are potential NGSS competitors, according to Litchfield.
CERT denied any conflict of interest between its role as an independent reporting organization and its practice of disclosing vulnerability information to ISAlliance members and the U.S. government.
Many ISAlliance members are critical infrastructure owners, including financial institutions, telecommunications companies and software vendors, though membership is not limited to such organizations, Carpenter said.
In addition, a strict security screening process and nondisclosure policy prevents ISAlliance members from circulating the vulnerability information they receive from CERT outside of their organization, said Larry Clinton, deputy executive director and operations officer of the ISAlliance.
In theory, that should keep information that was confidentially disclosed to CERT from being spread by other companies. Most security companies aren't taking any chances, however.
"When the ISAlliance was formed, a big part of the value of that was its relationship with CERT and that if you joined you got detailed vulnerability information," said Chris Wysopal, director of research and development at @stake Inc. in Cambridge, Massachusetts.
"From that point on, most of the people I talk to, other security researchers at other companies, decided not to give any information to CERT unless they needed help (disseminating it)," Wysopal said.
NGSS's announcement regarding CERT, while more public, is not an uncommon position in the security community, Wysopal said.
"What we have done, because we are a small company with limited resources, is to contact CERT only with widespread issues," Wysopal said.
Litchfield said that NGSS has not decided whether it will use CERT to disseminate information about widespread vulnerabilities.
The rift between the security researchers and CERT could threaten to make the reporting organization irrelevant, Wysopal said.
Compared with the period before the announcement of the ISAlliance relationship, recent CERT alerts are based more often on information publicly available elsewhere than on information disclosed exclusively to CERT, Wysopal said.
Clearly, the loss of information from NGSS will be sorely felt. The company's researchers found a number of high-profile software vulnerabilities in recent years, including the Microsoft SQL Server vulnerability exploited by the Slammer worm that appeared on Saturday. NGSS shared a number of those vulnerabilities with CERT at the same time they were disclosed to the affected software vendor.
CERT offered little comment on the NGSS decision to stop reporting vulnerabilities.
"That's their decision to make," Carpenter said.
CERT, which receives funding from the U.S. Department of Defense, has been under pressure from the federal government in recent years to increase its interactions with the private sector and to get help funding its operation.
CERT's response was to partner with the Electronic Industries Alliance, a federation of trade associations, and form the ISAlliance.
"The ISAlliance was formed to promote security improvement across the Internet and to enable CERT to provide important information to critical infrastructure operators within the private sector." CERT said in a statement.
"The funds that CERT receives from the ISAlliance directly support this interaction."
At the same time as it has had to look for private sector help, however, the organization has had to keep up with an ever-growing number of software vulnerabilities and high-profile attacks stemming from those vulnerabilities.
CERT recorded just over 9,800 incidents in 1999. By 2002, that number grew to more than 82,000 separate incidents.
"We do the best we can with the funding we have. We'd always like to have more," said William Pollak, manager of communications at CERT.
While not opposed to private funding of CERT, per se, security researchers would like to see CERT find a way to fund its operations that does not conflict with its mission as an independent reporting body. One way might be for CERT to use its research talent and established vulnerability rating and publishing system to analyze, package and distribute vulnerability information after it has been publicly released.
"They have a good methodology for creating a risk rating and doing the formatting and analysis. They could be a third party between the vendor and the researcher and could sell that extra information," Wysopal said.
Litchfield gave CERT credit for the work that it has done publicizing vulnerability information, especially in cases where a vulnerability affects a wide array of products.
However, security researchers need to be better informed about how vulnerability information will be handled when they give it to CERT, he said.
"My basic concern was to make sure other independent researchers be aware that this is CERT's policy, because we weren't aware. If someone had made us aware, we would have stopped informing CERT ages ago," Litchfield said.