mailing list archives
Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634
From: Peter Barker <pbarker () BARKER DROPBEAR ID AU>
Date: Tue, 5 Sep 2000 18:41:34 +1100
On Mon, 4 Sep 2000, Warner Losh wrote:
I know that various groups in the past have tried to strike a balance
between vendor coordination and forcing a release to spur the vendors
What's really needed is a vulnerability stamping service :-). In the
I've thought that a bugtraq "delayed-action" script could do this.
Mail to, for example, "bugraq-14days () securityfocus com" would be
acknowledged by the server as being in the queue to be posted to
"bugtraq () securityfocus com" after (guess!) 14 days. A warning at 1 day may
also be sent to the advisory author.
Upon posting, original receipt date of the post should be obvious.
A "key" could be issued which, if used, should indicate to the list server
that the advisory should be broken out of the queue and posted to the
This should do three things:
- establish (for those need the ego-boost) who got in first with a
- give the vendor time to respond
- if cc'd to the appropriate contact for the compromised software, gives
them a date to work to - and a sword over their heads.
Peter Barker | N _--_|\ /---- Barham, Vic
Programmer,Sysadmin,Geek | W + E / /\
pbarker-btq () barker dropbear id au | S _,--?_*<-- Canberra
You need a bigger hammer. | v [35S, 149E]
"Note: Silencing the alarm does not solve the problem that caused it."
-- Sola (UPS) Users Guide