Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Announcing new security mailing list
From: full-disclosure () lists netsys com (Matthew S. Hallacy)
Date: Thu, 11 Jul 2002 12:00:54 -0500

On Thu, Jul 11, 2002 at 09:04:21AM -0700, Blue Boar wrote:
There is no Bugtraq "scheme".  The Bugtraq moderator does not hold any 
posts.  The poster gets to decide when his informatino is released.  The 
people who post to Bugtraq as just as able to blindside a vendor as on any 
other mailing list.

The closest thing to what you describe that is offered by SecurityFocus is 
the vulnhelp service.  This is a way for someone who finds a bug to 
voluntarily dump the hassle of dealing with notifying the vendor and 
waiting onto the SecurityFOcus staff.  Someone who uses vulnhelp still 
wants to give the vendor advanced notice, they just don't want to do it 
themselves.  If they don't want the vendor to have any warning, they just 
post to Bugtraq.


I disagree, I think my DOCSIS vulnerability posting is a good example of
something that should have gone out immediately, but was /never/ posted.
( I ended up taking it to another list)

It was valid, the vendors knew, but it was withheld because you deemed it

Matthew S. Hallacy                            FUBAR, LART, BOFH Certified
http://www.poptix.net                           GPG public key 0x01938203

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]