| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.44.0207111321490.30196-100000@phobos> From: Simon.Richter at phobos.fachschaften.tu-muenchen.de (Simon Richter) Subject: Re: Announcing new security mailing list Hi, > We are pleased to announce the creation of a new security mailing list > dedicated to FULL DISCLOSURE. When Scott Chasin handed over the bugtraq > mailing list, it was clearly dedicated to the immediate and full > dissemination of security issues. The current bugtraq mailing list has > changed over the years, and some of us feel it has changed for the worse. To me, the term "full disclosure" does not mean "make it available as fast as possible", but rather "here is the information, expect it to leak in the next two weeks, so go out and fix the bug". The current bugtraq scheme enforces that, and I believe they are doing a great job. By creating a forum in which vulnerability spotters can get "instant fame", you are forcing software vendors to monitor the forum 24/7, as a new vulnerability in their software could be disclosed anytime, and at the moment it is disclosed, script kiddies are hacking it into their scanners while it could be 4 am in the vendor's timezone. If we are lucky enough that the vulnerability is spotted by a whitehat, we should not jeopardize the time advantage we have by announcing it publically. In short, I think this is a bad idea because it adds confusion for the vulnerability spotters, risks early disclosure before fixes are available and thus harms the users. Simon -- GPG public key available from http://phobos.fs.tum.de/pgp/Simon.Richter.asc Fingerprint: 040E B5F7 84F1 4FBC CEAD ADC6 18A0 CC8D 5706 A4B4
Powered by blists - more mailing lists