| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: BlueBoar at thievco.com (Blue Boar) Subject: Re: Announcing new security mailing list Matthew S. Hallacy wrote: > I disagree, I think my DOCSIS vulnerability posting is a good example of > something that should have gone out immediately, but was /never/ posted. > ( I ended up taking it to another list) > > It was valid, the vendors knew, but it was withheld because you deemed it > 'malicious'. "You", meaning who? Not I.. it went to my list: http://online.securityfocus.com/archive/82/261280 I have my own set of (often harsher) standards for what posts I allow on vuln-dev... but that has nothing to do with Bugtraq. I assume you mean Dave, whose reply is here: http://online.securityfocus.com/archive/82/261454 I suppose you can accuse him of not stating his standards well enough up front for what kinds of messages he considers fraud instructions. I might not have approved the original message either. For messages like that, I'm often torn between my policy of not allowing posts that tell that a particular site is vulnerable to a hole only they can fix, and allowing the poster to implicate themself for the poking around they've done. It kinda depends if I feel like I've been made an accessory. If so, I'll usually approve it for the world to see. Or, maybe forward to the FBI. I haven't had occasion to do the latter yet. The point being, that has nothing to do with the Bugtraq moderator holding posts so he can warn a vendor to make a fix. In your case, if I'm reading the headers correctly, there were only about 6 hours between when you sent the note to Bugtraq, and decided it wasn't going to be posted? BB
Powered by blists - more mailing lists