DFN-CERT
Unlike CERT, who seem to drop Linux security reports into the bit bucket
as soon as they receive them, DFN-CERT
- do listen to Linux security bug reports
- do keep you informed of what's happening with a bug you reported (which does give you a nice feeling ;-) )
- do fully disclose bugs to their security contacts at sites
- may oneday persuade other CERTs to listen to Linux bug reports
This is our policy, yes. However the DFN-CERT is (you already said this)
the CERT for the *German* research network (DFN). We are not able to handle
all vulnerability reports for the complete Internet. We do not have
the time and staff for doing Linux vulnerability analysis (in fact our
resources are eaten up by the other work like incident handling and proactive
work writing bulletins, offering security workshops etc.).
We are working together with other CERTs all over the world. The DFN-CERT
is a member of FIRST (Forum of Incident Response and Security Teams).
For further information on FIRST see http://www.first.org/first/
Our information-services are available at
It is also necessary to understand, that CERTs are willing to deal with
Linux-security problems but that Linux is not the only OS they have to take
care of. Today we see a big difference between highly motivated Linux users
who do a lot of their work on their own systems and can fix problems very
fast and commercial usage of computer systems on the other hand. It makes
a difference if you are only responsible for your own machine or a small
subnet or if you have to deal with a lot of different OS-types in a large
organization. We can't simply publish a patch that only works for Linux
and don't care about the other ones. It is important to know who else is
or may be affected by this bug (other systems are sometimes based on the same
sources) and if there is a patch or workaround for those systems available,
too. If this can't be solved in a timely fashion, we have to decide on every
single vulnerability how we deal with this problem. If it helps to prevent
attacks we are willing to publish this information even if there is no
official patch available...
The DFN-CERT would also like to work together with the developers of the
Linux implementations. If we do know that a fix is coming from the original
author of a package (e.g. it is PGP signed and other people can convince us,
that the given author is really responsible for that part of software) we
would like to forward this information to out site security contacts and
to the other FIRST members (like CERT/CC). Every input and ideas how
to handle Linux problems is appreciated.
Yes - we do listen to Linux security reports as well as to bugtraq, 8lgm
etc. However we don't have the resources to pick up all vulnerability
reports from those lists. Please report them directly to the CERT/CC at
cert@cert.org. They will ask us (and other FIRST teams) if they need help.
Please remember that nearly all existing CERTs do have a very high work-
load and that a special Linux vulnerability may not have that high
priority compared to an ongoing attack or another bug that effects all
vendors. So please accept if your particular bug report is not processed
within 24 hours. Of course you should ask for an acknowledgment of your
mail if you don't receive any feedback within a week or so...
Bye,
Wolfgang Ley (DFN-CERT).
Joey, 17 Mar 95