It would be interesting to see how many of the bugs in BIND have been found
by Whitehats and how many have been found by Blackhats.
Any bug that has been found by a Blackhat should be made public instantly,
because by the time Whitehats find out about the bug, it is already being used.
IMHO, all bugs should be released disclosed ASAP, and waiting for some
vendor to fix their version is just plain wrong.
1. My Company runs Company A's BIND implementation.
2. A bug is found that affects all versions of BIND.
3. BMF notify their members, and give them 2 weeks to fix before the
annoucement.
4. Company A fix their implementation immediately, but can't make an
announcement because of BMF rules.
5. I know nothing about the bug so do nothing.
6. My Company gets hacked using an exploit for the bug.
7. We spend lots of time recovering from the hack.
8. BMF finally give the ok for the announcements.
9. My Company installs the fixed version that was "available" before we got
hacked.
10. In the tradition of the good old USA we start a class action law suit
and sue the pants off of the BMF, Members, and the ISC.
Drew.
>One - just ONE - of the features suggested - only suggested - for the
>BIND Members Forum (BMF) is that members get advance warning of
>security problems. This is not unreasonable given that members are
>likely to be folks running root, gTLD and ccTLD name servers or
>vendors who have to prepare and ship security patches to their
>customers. Or do you think that critical Internet infrastructure
>should just take their chances that the script kiddies don't get to
>them first? Another membership constituency are the companies who
>build products on top of BIND. They need time to incorporate any
>security fix too. Many of them were taken by surprise by Monday's
>announcement.
