David A. Wheeler's Blog

Thu, 08 May 2008

Open Source Computer Emergency Response Team (oCERT)

Here’s something new and interesting: the Open Source Computer Emergency Response Team (oCERT). Here’s how they describe themselves: “The oCERT project is a public effort providing security handling support to Open Source projects affected by security incidents or vulnerabilities…”.

They promise to keep things moving. They do permit embargo periods (where vulnerabilities are not publicly disclosing, giving time for developers to fix the problem first). More importantly, though, they have a maximum embargo time of two months; I think that’s great, and important, because a lot of suppliers have abused embargo periods and failed to fix critical vulnerabilities as long as they’re embargoed. These abuses often resulted in customers being exploited through mechanisms that the supplier knew about, but refused to fix in a timely manner.

Google is backing oCERT, which is certainly encouraging. Google even mentions my “three conditions” for securing software (thanks!):

  1. people need to actually review the code
  2. developers/reviewers need to know how to write secure code
  3. once found, security problems need to be fixed quickly, and their fixes distributed quickly
Clearly, something like oCERT could help with these.

This ComputerWorld article on oCERT makes some interesting points. One minor point: They worry that oCERT is using the term “CERT” without permission, but oCERT reports that they do indeed have that permission.

path: /oss | Current Weblog | permanent link to this entry