CERT to disclose software flaws
The security incident response center will give software companies 45 days to fix security flaws, joining the trend toward open discussion of vulnerabilities.
http://www.zdnet.com/zdnn/stories/news/0,4586,2637904,00.html
Hardly. First of all these idiots at ZDnet have gotten full disclosure and "exploit code" mixed up, they are two very different things. Second of all it won't always be 45 days: http://www.cert.org/faq/vuldisclosurepolicy.html Q: Will all vulnerabilities be disclosed within 45 days? A: No. There may often be circumstances that will cause us to adjust our publication schedule. Threats that are especially serious or for which we have evidence of exploitation will likely cause us to shorten our release schedule. Threats that require "hard" changes (changes to standards, changes to core operating system components) will cause us to extend our publication schedule. In essence it's a PR move. Anyone that actually wants the problem fixed will generally contact the vendor, and then go to Bugtraq/NTBugtraq/LinuxSecurityList and presto, the world knows. http://www.securityportal.com/list/linux-security/
-- Fred A. Miller
Kurt Seifried - seifried@securityportal.com SecurityPortal, your focal point for security on the net http://www.securityportal.com/