Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Announcing new security mailing list
From: full-disclosure () lists netsys com (Blue Boar)
Date: Thu, 11 Jul 2002 18:00:25 -0700

Matthew S. Hallacy wrote:
I disagree, I think my DOCSIS vulnerability posting is a good example of
something that should have gone out immediately, but was /never/ posted.
( I ended up taking it to another list)

It was valid, the vendors knew, but it was withheld because you deemed it
'malicious'.

"You", meaning who?  Not I.. it went to my list:
http://online.securityfocus.com/archive/82/261280

I have my own set of (often harsher) standards for what posts I allow on 
vuln-dev... but that has nothing to do with Bugtraq.

I assume you mean Dave, whose reply is here:
http://online.securityfocus.com/archive/82/261454

I suppose you can accuse him of not stating his standards well enough up 
front for what kinds of messages he considers fraud instructions.

I might not have approved the original message either.  For messages like 
that, I'm often torn between my policy of not allowing posts that tell that 
a particular site is vulnerable to a hole only they can fix, and allowing 
the poster to implicate themself for the poking around they've done.  It 
kinda depends if I feel like I've been made an accessory.  If so, I'll 
usually approve it for the world to see.  Or, maybe forward to the FBI.  I 
haven't had occasion to do the latter yet.

The point being, that has nothing to do with the Bugtraq moderator holding 
posts so he can warn a vendor to make a fix.

In your case, if I'm reading the headers correctly, there were only about 6 
hours between when you sent the note to Bugtraq, and decided it wasn't 
going to be posted?

                                                        BB



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]