2000/02/15 : Schneier published his monthly newsletter.
He reflects on the vulnerability debate.
"My position has changed over time. I'd like to revisit it. There are really two issues here, intertwined. If someone discovers a vulnerability in a product, should he quietly alert the vendor or should he make it public? And when is a vulnerability important and when is it trivial?" (p.4)
Schneier talks as well about the creation of the CERT Coordination Center in 1988.
"In 1988, the Morris Worm illustrated how susceptible the Internet is to attack. The Defense Advanced Research Projects Agency (DARPA) funded a group to coordinate responses to these kinds of attacks, increase security awareness, and generally do good things for Internet security. The group is known as CERT".
"I believe in giving the vendor advance notice. CERT took this to an extreme, sometimes giving the vendor years to fix the problem. I'd like to see the researcher tell the vendor that he will publish the vulnerability in a month, or three weeks (no fair giving the vendor just seven days to fix the problem)."
Critical Commentary
2000/02/15 : Schneier published his monthly newsletter.
He reflects on the vulnerability debate.
"My position has changed over time. I'd like to revisit it.
There are really two issues here, intertwined. If someone discovers a vulnerability in a product, should he quietly alert the vendor or should he make it public? And when is a vulnerability important and when is it trivial?" (p.4)
Schneier talks as well about the creation of the CERT Coordination Center in 1988.
"In 1988, the Morris Worm illustrated how susceptible the Internet is to attack. The Defense Advanced
Research Projects Agency (DARPA) funded a group to coordinate responses to these kinds of attacks, increase
security awareness, and generally do good things for Internet security. The group is known as CERT".
"I believe in giving the vendor advance notice. CERT took this to an extreme, sometimes giving the vendor years to fix the problem. I'd like to see the researcher tell the vendor that he will publish the vulnerability in a month, or three weeks (no fair giving the vendor just seven days to fix the problem)."
This artefact is part of the Schneier Publications Bundle and of the CERT CC Bundle.