lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Jul 2007 13:06:08 -0700 From: "Zow" Terry Brugger <zow@...l.gov> To: Chris Stromblad <cs@...post24.com> Cc: Gadi Evron <ge@...uxbox.org>, bugtraq@...urityfocus.com Subject: Re: Internet Explorer 0day exploit > ideal world. Many of the advisories I look at almost always cover the > same type of vulnerability. Shouldn't we have learned by now, if we > consider your argument? It's been a while, but one of the great things I've seen Bugtraq used for is to look at the distribution of vulnerabilities. In the past few years, my perception is that there's been a decline in the number of buffer overflow attacks and most of what we see today are web attacks like cross-site scripting and remote file injection. Seeing these trends is important because it tells us as a community where we need to focus our efforts. > However, perhaps one/I just need to shift the way I look at advisories. > Rather than seeing them as "late" and "out-of-date", they could be an > additional source of information about a particular system. I'll accept > that. That too. Let me tell you, if I ever need to set up a web forum for something, I'm going to look at Bugtraq to see what the track record is for the systems I'm considering. > are almost at the verge of being completely void. A remedy for that > would be to have the security community agree on a common "advisory > protocol" that defines a guideline for contents in an advisory. Anyways, Great idea! Much like the RFP vendor notification policy (Which I haven't seen mentioned in a while, so I encourage everyone doing vulnerability research to see http://www.wiretrip.net/rfp/policy.html). Anyone care to propose a template (presumably if someone who the community respects does so, it's more likely to catch on)? Terry import standard.disclaimer;
Powered by blists - more mailing lists