[linux-elitists] Security Vendor Cuts Ties With CERT

James Morris jmorris@intercode.com.au
Wed Jan 29 15:35:41 PST 2003

On Wed, 29 Jan 2003, Don Marti wrote:

> OK,  I'm looking at the RFPolicy document right now:
> http://www.wiretrip.net/rfp/policy.html
> and while I see entries for 
> The ISSUE, The ORIGINATOR, and The MAINTAINER, I don't see any
> entries for the POINTLESS MIDDLEMAN.  Why do we need CERT again?

Sometimes a vulnerability affects multiple maintainers; the originator may
not be able or want to do the research on this, and it is useful to have a
trustworthy organization to perform independent analysis and coordinate
communications, status info, disclosure dates etc.  For users, a single
comprehensive advisory from an organization like CERT helps make security
issues simpler to manage, especially if a vulnerability affects lots of
stuff and they have lots of stuff to look after.

CERT and similar organizations also operate as a trusted buffer between
originators and maintainers, although the RFP can be useful here 

- James
James Morris

More information about the linux-elitists mailing list