lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.BSF.4.20.0207110911020.90880-100000@alive.znep.com>
From: marcs at znep.com (Marc Slemko)
Subject: Re: Announcing new security mailing list

On Thu, 11 Jul 2002, Blue Boar wrote:

> Simon Richter wrote:
> > To me, the term "full disclosure" does not mean "make it available as fast
> > as possible", but rather "here is the information, expect it to leak in
> > the next two weeks, so go out and fix the bug". The current bugtraq scheme
> > enforces that, and I believe they are doing a great job.
> 
> There is no Bugtraq "scheme".  The Bugtraq moderator does not hold any 
> posts.  The poster gets to decide when his informatino is released.  The 
> people who post to Bugtraq as just as able to blindside a vendor as on any 
> other mailing list.

Speaking from personal experience, the current bugtraq moderator
does, and the previous moderator also did, "hold" certain posts.
The cases I have seen fall into one of two categories:

1. having doubts about the authenticity of the information in the post
2. seeing if the poster would like to voluntarily withhold it temporarily
and work with vendors.

Certainly, if the authenticity of the information is not in question and
if the poster insists on posting it, then I have no indication that it
would be withheld.  I also don't have any reason to think this happens
frequently.  But there is an extra layer there that, in some cases, does
result in submitted posts being delayed, normally with the consent of the
poster.

I'm not really sure of the need for a "full-disclosure" list, but time
will tell.

BTW, spewing "[full-disclosure]" into the subject line is a very annoying
thing for a list to do.  


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ