A group widely used by security companies as a clearinghouse for newly discovered software vulnerabilities has raised the ire of a well-known researcher, who criticized its policy of disclosing information early to preferred members. In an e-mail released to a public security mailing list this week, a vulnerability research company took to task the nonprofit Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University. In the e-mail, noted security researcher Mark Litchfield wrote that his company would no longer submit information on security flaws to the CERT center. Such a submission, he wrote, is “an act of good faith” intended to give information technology administrators the information they need to patch their systems. But Litchfield said he felt “a betrayal of trust” because CERT had “leaked (the information) to certain organizations and government departments” before passing it on to IT workers. Full Story