CERT@sei.cmu.edu (10/05/89)
In a recent post on comp.unix.wizards ("sendmail/ftpd security-holes
raise their ugly heads again..."), John Chambers asked what steps you
can take if you find a security hole in a vendor's product.
One avenue for dealing with security problems is to contact the
Computer Emergency Response Team (CERT). We were formed last November
right after the Internet Worm. We are DARPA sponsored and located at
the Software Engineering Institute (SEI), which is part of Carnegie
Mellon University.
Our basic function is to help deal with security problems on the
Internet. We have a 24-hour hotline number and a mail address, and we
deal with both break-ins and vulnerabilities such as the sendmail
problem John Chambers discussed.
One of the services we can provide is helping communicate security
problems to vendors. We have contacts with a number of vendors, and
these contacts allow us to communicate the problems and find out the
status of them. We also have contacts with different organizations
within the vendors: the technical people who fix the problems and the
marketing and management people that make the decisions about what
gets fixed. We have found that vendors are responsive to security
problems if you talk to the right people. That's part of the service
we can provide.
This is not a replacement for contacting the vendors directly. If you
are a customer of a vendor and you find a security problem, we
encourage you to contact your vendor. However, we can help augment
that communication to make sure the message gets through.
We can't work miracles. Fixing or patching a large software system is
a major undertaking for any vendor. Even when they do fix a problem,
the mechanics of getting a fix out are formidable. But the vendors we
have worked with do care about security problems.
If you do come across security problems, please consider sending a
message to cert@sei.cmu.edu or calling our hotline number (412)
268-7090.
J. Paul Holbrook
Computer Emergency Response Team
Internet: <cert@SEI.CMU.EDU>
(412) 268-7090 (24 hour hotline)