Government officials and private organizations alike are reviewing their vulnerability disclosure processes after several incidents over the past 10 days exposed major shortcomings in the way new bugs are handled. . .
Government officials and private organizations alike are reviewing their vulnerability disclosure processes after several incidents over the past 10 days exposed major shortcomings in the way new bugs are handled. The most dramatic case for change came early last week when an anonymous member of a security mailing list posted three unpublished vulnerability advisories. None of the advisories had been released by the authors--or by a third party such as the CERT Coordination Center--who typically handle such announcements. The posts were taken from advance copies of the advisories that CERT had shared with a select group of software vendors, something that has angered CERT officials. "We know that the text was taken directly from messages we shared with the vendor community," said Shawn Hernan, team leader for vulnerability handling at CERT, based at Carnegie Mellon University, in Pittsburgh. "We've always believed that the vendors need advance notice. But in this case, someone with access decided to [go] public."

The link for this article located at eWeek is no longer available.