Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Announcing new security mailing list
From: full-disclosure () lists netsys com (Simon Richter)
Date: Thu, 11 Jul 2002 13:42:16 +0200 (CEST)


 We are pleased to announce the creation of a new security mailing list
 dedicated to FULL DISCLOSURE. When Scott Chasin handed over the bugtraq
 mailing list, it was clearly dedicated to the immediate and full
 dissemination of security issues. The current bugtraq mailing list has
 changed over the years, and some of us feel it has changed for the worse.

To me, the term "full disclosure" does not mean "make it available as fast
as possible", but rather "here is the information, expect it to leak in
the next two weeks, so go out and fix the bug". The current bugtraq scheme
enforces that, and I believe they are doing a great job.

By creating a forum in which vulnerability spotters can get "instant
fame", you are forcing software vendors to monitor the forum 24/7, as a
new vulnerability in their software could be disclosed anytime, and at the
moment it is disclosed, script kiddies are hacking it into their scanners
while it could be 4 am in the vendor's timezone. If we are lucky enough
that the vulnerability is spotted by a whitehat, we should not jeopardize
the time advantage we have by announcing it publically.

In short, I think this is a bad idea because it adds confusion for the
vulnerability spotters, risks early disclosure before fixes are available
and thus harms the users.


GPG public key available from http://phobos.fs.tum.de/pgp/Simon.Richter.asc
 Fingerprint: 040E B5F7 84F1 4FBC CEAD  ADC6 18A0 CC8D 5706 A4B4

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]