lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3D2DAC85.4010200@thievco.com>
From: BlueBoar at thievco.com (Blue Boar)
Subject: Re: Announcing new security mailing list

Simon Richter wrote:
> To me, the term "full disclosure" does not mean "make it available as fast
> as possible", but rather "here is the information, expect it to leak in
> the next two weeks, so go out and fix the bug". The current bugtraq scheme
> enforces that, and I believe they are doing a great job.

There is no Bugtraq "scheme".  The Bugtraq moderator does not hold any 
posts.  The poster gets to decide when his informatino is released.  The 
people who post to Bugtraq as just as able to blindside a vendor as on any 
other mailing list.

The closest thing to what you describe that is offered by SecurityFocus is 
the vulnhelp service.  This is a way for someone who finds a bug to 
voluntarily dump the hassle of dealing with notifying the vendor and 
waiting onto the SecurityFOcus staff.  Someone who uses vulnhelp still 
wants to give the vendor advanced notice, they just don't want to do it 
themselves.  If they don't want the vendor to have any warning, they just 
post to Bugtraq.

						BB

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ