Matthew S. Hallacy wrote:
> I disagree, I think my DOCSIS vulnerability posting is a good example of
> something that should have gone out immediately, but was /never/ posted.
> ( I ended up taking it to another list)
>
> It was valid, the vendors knew, but it was withheld because you deemed it
> 'malicious'.
"You", meaning who? Not I.. it went to my list:
http://online.securityfocus.com/archive/82/261280
I have my own set of (often harsher) standards for what posts I allow on
vuln-dev... but that has nothing to do with Bugtraq.
I assume you mean Dave, whose reply is here:
http://online.securityfocus.com/archive/82/261454
I suppose you can accuse him of not stating his standards well enough up
front for what kinds of messages he considers fraud instructions.
I might not have approved the original message either. For messages like
that, I'm often torn between my policy of not allowing posts that tell that
a particular site is vulnerable to a hole only they can fix, and allowing
the poster to implicate themself for the poking around they've done. It
kinda depends if I feel like I've been made an accessory. If so, I'll
usually approve it for the world to see. Or, maybe forward to the FBI. I
haven't had occasion to do the latter yet.
The point being, that has nothing to do with the Bugtraq moderator holding
posts so he can warn a vendor to make a fix.
In your case, if I'm reading the headers correctly, there were only about 6
hours between when you sent the note to Bugtraq, and decided it wasn't
going to be posted?
BB
Received on Jul 12 2002
Intro
