@stake Advisory Notification Format

[Weld Pond <weld () ATSTAKE COM>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I think everyone out there knows that we are committed to full disclosure
and the concept of freely available security advisories.  Many vendors do
not issue bulletins after we report problems to them, even after they
subsequently fix the problems.  Without advisories from independant
researchers there is no check on product vendors. This is a service that we
give to the security community because we think it is the right thing to do
with the fruits of our research.  With our new mailing list notification
format we have not changed this one bit.

We are giving out more information now in our advisories than we ever have
before, so we are certainly not witholding anything.  Quite the opposite.
Over the past few months we have expanded our overview sections that allow
non-technical people to scope the problem.  We have expanded our detailed
technical discussions of issues, many times including detailed source code
examples.  And, I think most importantly, we have greatly expanded our
solutions discussion so that people are not always reliant on vendor
patches.  We need many was to mitigate vulnerabilities because there are
many environments.

The advisory notifiction format we are using has about the same amount of
information as the paraphrased advisories that Elias posted for the latest
Microsoft advisories and the same amount of information that some other
researchers post in their advisories.  This is more than enough information
to decide if the issue at hand effects you and you need to dive deeper into
our analysis.

What we are doing is adding more information than we have in the past and we
are adding it on our web site. There are plans to add much more. We think
that our web site and its accompanying web technology is the best place to
expand our free information dissemination into the future.  We have many
ideas in store that I know people will appreciate. Of course, notifications
of important information releases will be made to mailing lists that accept
them so everyone who wishes to can read and use the information.  We may
even set up our own notification list if there is a demand for that.

We have stayed away from cluttering up our advisories with marketing gorp,
like ads about our services or ads about our company like many commercial
research teams do.  We pride ourselves in publishing our research on an
academic level and always have.  This will not change.

weld

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOjfpbaKvhX2AQSGyEQL27gCeKYX8tX++ormy4c/v1qe2RtlSn7gAoOzg
C9aiKSrI694BEHvkh8uRE+mn
=MyCw
-----END PGP SIGNATURE-----