RE: Vendor Vulnerability Release Problem

From: []On
Behalf Of Robert Mathews
Sent: Tuesday, February 01, 2005 11:01 AM
To: Hannigan, Martin
Subject: Re: Vendor Vulnerability Release Problem

> Date: Tue, 01 Feb 2005 01:17:42 -0500
> From: "Hannigan, Martin" <>
> To: "''" <>
> Subject: Vendor Vulnerability Release Problem
> [ .... ]
> They did concur that the current system is broken. This is
part of the
> reason I decided to post this. To let everyone know that this is a
> problem and the vendors agree.


Thank you for posting this note, as the subject item is of immense
interest to me personally, and to many within US Government.
My question,
which I will pose to you shortly -- is a broader one; one
that goes beyond
the world of ISPs and NSPs to the vastness of the IT world.
Still, your
concerns are very much valid in such an area as well.

Before I go forward, I would like to disclose that I do not
attend NANOG
meetings regularly.

With regard to your post Martin, I would like to ask you --
just how you
see it, when you say: that "they did concur that the current system is
broken." Studies done within Government indicate a LARGER
problem than
'after-incident action' which directly points to vendor
itself. I am not at liberty to provide further details to
the studies or
their details but, it suffices to say that vendor behavior
is seen as a
significant problem. So, what of Vendor Behaviour?

There appeared to be a consensus that the current methodology
is broken. The vendors stated this themselves. The two presenters
would need to clarify that further.

As far as vendor behavior is related, I can't comment on that.

It was clear, at least to me, there is no transparent or uniform
method of distributing serious vulnerabilities. At least that
participants of NANOG are aware of.

I will concur that the vendors may not currently have a way
to proceed with these problems, but I don't know that the operator
ground zero for these vulnerabilities, hasn't been consulted as a
whole. ((archives)).

> I *was disappointed in was the harsh criticism of DHS. The
vendors called
> DHS and the Pentagon the biggest source of leaks related to
'their' security
> vulnerabilities. I don't know if that's true, but if they
are, I hope
> they're leaking to the right people.

Since I was not there for the discussion, I could not
appropriately relate
to the exchange held but, I would just like to understand if
I may -- what
the perception by the many gathered of DHS and the Pentagon were

My interpretation of the event was that the speakers considered
DHS and the Pentagon to share some level of responsibility as to
why vendors can't detail serious vulnerabilities. The feedback
seemed to deride the Pentagon more than DHS. I can't gauge what
the participants felt. As a guess, I think it was believable in
the way it was presented.

The overall impression was that the relevant government
agencies are not credible. (I disagree from my own experience).

If you feel that this matter would be of interest to the
NANOG community,
do feel free to re-post.

Reposted whole.