Vendor Vulnerability Release Problem

I attended the ISP Security BoF this evening and listened to Juniper
and Cisco defend their positions of determining who gets notifications
first. Decent talk. Folks did defend the "you need to reach
us" to get the patch method, but some of it was "me too"

I'd like to suggest to the Program Committee that a talk related to just
this be solicited at the next NANOG and include all of the vendors who
want to participate.

They did concur that the current system is broken. This is part of the
reason I decided to post this. To let everyone know that this is a
problem and the vendors agree.

I *was disappointed in was the harsh criticism of DHS. The vendors called
DHS and the Pentagon the biggest source of leaks related to 'their' security

vulnerabilities. I don't know if that's true, but if they are, I hope
they're leaking to the right people.

Thanks to Juniper and Cisco for holding the talk.


Martin/NANOG, from US CERT OP's perspective we would welcome this discussion
and want to participate if NANOG can add it to the agenda next go around.
Unfortunately I wasn't able to personally participate in this NANOG event
but my team was there and we value the feedback that was provided.

There are many challenges in when to communicate information, how you can
communicate it, and the context in which it is shared not to mention
protecting the info. Then you throw into the mix platinum support contracts
and it gets even more interesting. Also the complexity goes up based on
availability of exploit tools & ability to carry out an exploit based on
open source instructions found online which also affects disclosure policy
and ability to get information to those infrastructure owners to protect
themselves which sometimes might be a mitigation strategy other than a patch
or upgrade which might or not be available. To further add to the
complexity would be cyber threat information which would also play a role in
criticality of a vuln and when & how to communicate it in collaboration with
the vendor.

Also a key driver in the vuln disclosure execution is the reporting vector;

1. Was it reported directly to vendor from discoverer?
2. Was it reported to a National Level CERT via private or government
3. Did vendor discover it through their own QA?

In short, we're very interested participating in improving the overall
process or at least contributing to it. I'm glad folks we're not shy about
sharing their thoughts with my team :wink:


Jerry or