NISCC Witholding Information from Vendors?
Posted by jericho
The idea behind CERT-like groups is the responsible disclosure and handling of vulnerability information. NISCC, in their own words:
Welcome to the National Infrastructure Security Co-ordination Centre
A fundamental role for any government is to ensure the continuity of society in times of crisis. This often involves providing extra protection to essential services and systems to make them more resistant to disruption and better able to recover quickly.
NISCC has no regulatory, legislative or law enforcement role; it seeks to achieve its aim through four broad work streams:
Outreach. Promoting protection and assurance by encouraging information sharing, offering advice and fostering best practice.
Despite their claims of outreach, the Openswan project is calling this into question. From a post to the DailyDave mail list:
NISCC’s achievement this time:
- do not release vulnerability information to open source vendors prior to release. Just tell them they cannot have the information for 4 months.
- try to postpone another 3 months, but getting their hands forced by CERT-FI
- do not list vendors impacted in their announcement.
- do not request a CVE.
- give the public absolutely no information on the vulnerability and whether they are impacted or need to urgently upgrade or not.