Open source software vendor Red Hat has announced a new initiative, implemented by the National Institute of Standards and Technology (NIST), that enables members of the software industry to officially and publicly comment on vulnerabilities that may affect their software.
This service was implemented on Thursday within the National Vulnerability Database (NVD) at NIST, which holds US government vulnerability information. It will enable vendors selling different distributions of the same software to notify people in real time whether or not the software is vulnerable to exploits.
Mark Cox, the security response team director for Red Hat, came up with the idea after a miscalculation which allows inappropriate access to memory in Apache was disclosed on 21 August. Other Linux distributors issued advisories for their versions of Apache, but Red Hat did not, as their version of the software was not vulnerable. However, Cox was quizzed by customers wondering why Red Hat had not issued an advisory.
Red Hat approached NIST with the idea of using the NVD to create an official vendor statement service, based on the Common Vulnerabilities and Exposures (CVE) naming standard. Unlike other services which promote vulnerabilities, this new scheme will also inform people if they are safe from a particular flaw.
"Open source software companies are great at telling their customers about issues, but we're not so good at telling people when they're not affected," Cox told ZDNet UK. "We wrote up a proposal for NIST, and they thought it was a great idea," Cox added.
Peter Mell, NVD program manager at NIST, said: "We appreciate Red Hat approaching us with this idea of creating the official vendor statement initiative within the National Vulnerability Database. Software vendors have the deepest knowledge about their products and are uniquely positioned to comment on their vulnerabilities."
After trialling the initiative on a beta basis for two weeks, Red Hat approached other vendors last week, including Mandriva, SUSE, HP and IBM, to find out if they were interested in the scheme. According to Cox, Mandriva has already signed up.
"This has value for software shipped by multiple people, although Microsoft is not excluded. We and other distributions are adding more secure technologies like SELinux and ExecShield, so it's important to explain if we're not affected by issues," said Cox.
Red Hat said it would like to continue taking a leadership position in the initiative, to encourage other software vendors to sign up to the initiative.
"It's a win for us even if no-one else uses it, but the more vendors take up this service the better it'll be for the end user," said Cox.
