Bugtraq mailing list archives
@stake Advisory Notification Format
From: Weld Pond <weld () ATSTAKE COM>
Date: Wed, 13 Dec 2000 16:24:53 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think everyone out there knows that we are committed to full disclosure and the concept of freely available security advisories. Many vendors do not issue bulletins after we report problems to them, even after they subsequently fix the problems. Without advisories from independant researchers there is no check on product vendors. This is a service that we give to the security community because we think it is the right thing to do with the fruits of our research. With our new mailing list notification format we have not changed this one bit. We are giving out more information now in our advisories than we ever have before, so we are certainly not witholding anything. Quite the opposite. Over the past few months we have expanded our overview sections that allow non-technical people to scope the problem. We have expanded our detailed technical discussions of issues, many times including detailed source code examples. And, I think most importantly, we have greatly expanded our solutions discussion so that people are not always reliant on vendor patches. We need many was to mitigate vulnerabilities because there are many environments. The advisory notifiction format we are using has about the same amount of information as the paraphrased advisories that Elias posted for the latest Microsoft advisories and the same amount of information that some other researchers post in their advisories. This is more than enough information to decide if the issue at hand effects you and you need to dive deeper into our analysis. What we are doing is adding more information than we have in the past and we are adding it on our web site. There are plans to add much more. We think that our web site and its accompanying web technology is the best place to expand our free information dissemination into the future. We have many ideas in store that I know people will appreciate. Of course, notifications of important information releases will be made to mailing lists that accept them so everyone who wishes to can read and use the information. We may even set up our own notification list if there is a demand for that. We have stayed away from cluttering up our advisories with marketing gorp, like ads about our services or ads about our company like many commercial research teams do. We pride ourselves in publishing our research on an academic level and always have. This will not change. weld -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOjfpbaKvhX2AQSGyEQL27gCeKYX8tX++ormy4c/v1qe2RtlSn7gAoOzg C9aiKSrI694BEHvkh8uRE+mn =MyCw -----END PGP SIGNATURE-----
Current thread:
- @stake Advisory Notification Format Weld Pond (Dec 14)