mailing list archives
Re: Announcing new security mailing list
From: full-disclosure () lists netsys com (Simon Richter)
Date: Thu, 11 Jul 2002 13:42:16 +0200 (CEST)
We are pleased to announce the creation of a new security mailing list
dedicated to FULL DISCLOSURE. When Scott Chasin handed over the bugtraq
mailing list, it was clearly dedicated to the immediate and full
dissemination of security issues. The current bugtraq mailing list has
changed over the years, and some of us feel it has changed for the worse.
To me, the term "full disclosure" does not mean "make it available as fast
as possible", but rather "here is the information, expect it to leak in
the next two weeks, so go out and fix the bug". The current bugtraq scheme
enforces that, and I believe they are doing a great job.
By creating a forum in which vulnerability spotters can get "instant
fame", you are forcing software vendors to monitor the forum 24/7, as a
new vulnerability in their software could be disclosed anytime, and at the
moment it is disclosed, script kiddies are hacking it into their scanners
while it could be 4 am in the vendor's timezone. If we are lucky enough
that the vulnerability is spotted by a whitehat, we should not jeopardize
the time advantage we have by announcing it publically.
In short, I think this is a bad idea because it adds confusion for the
vulnerability spotters, risks early disclosure before fixes are available
and thus harms the users.
GPG public key available from http://phobos.fs.tum.de/pgp/Simon.Richter.asc
Fingerprint: 040E B5F7 84F1 4FBC CEAD ADC6 18A0 CC8D 5706 A4B4