[77680] in North American Network Operators' Group
Vendor Vulnerability Release Problem
daemon@ATHENA.MIT.EDU (Hannigan, Martin)
Tue Feb 1 01:18:21 2005
From: "Hannigan, Martin" <hannigan@verisign.com>
To: "'nanog@merit.edu'" <nanog@merit.edu>
Date: Tue, 1 Feb 2005 01:17:42 -0500
Errors-To: owner-nanog-outgoing@merit.edu
I attended the ISP Security BoF this evening and listened to Juniper
and Cisco defend their positions of determining who gets notifications
first. Decent talk. Folks did defend the "you need to reach
us" to get the patch method, but some of it was "me too"
I'd like to suggest to the Program Committee that a talk related to just
this be solicited at the next NANOG and include all of the vendors who
want to participate.
They did concur that the current system is broken. This is part of the
reason I decided to post this. To let everyone know that this is a
problem and the vendors agree.
I *was disappointed in was the harsh criticism of DHS. The vendors called
DHS and the Pentagon the biggest source of leaks related to 'their' security
vulnerabilities. I don't know if that's true, but if they are, I hope
they're leaking to the right people.
Thanks to Juniper and Cisco for holding the talk.
-M<
--
Martin Hannigan (c) 617-388-2663
VeriSign, Inc. (w) 703-948-7018
Network Engineer IV Operations & Infrastructure
hannigan@verisign.com
