Policy Addition to VulnHelp - Please read

[Alfred Huger <ah () SECURITYFOCUS COM>]

Hey Folks,


As most of you know several weeks ago  I posted an announcement to the
list about a new service BUGTRAQ would be offering called Vulnhelp. The
post can be read at:

http://www.securityfocus.com/archive/1/71918

If you rely on Bugtraq for information, post vulnerabilities to it or in
general follow it please read the post as it will make the rest of this
message more coherent for you.

In short - we have decided to amend the current Vulnhelp posting policy to
include the ability for people working with vendors to not lose credit for
the discovery of vulnerabilities. The Vulnhelp service has been brought
about to help users who discover bugs work with vendors to hopefully
generate fixes before a bug is posted. To this end, any user who is
working with Vulhelp and a vendor(s) will not have credit scooped from
them on the list. We intend go about this in the following manner:


Initial Contact - Advisory Drafting - Release Rules

People who contact Vulnhelp should be doing so with something they have
verified to be a bug. We will then work with them in addressing initial
concerns of the advisory and coordinating the contacts involved.  We will
then draft an advisory which is for lack of a better term a 'living
document' this advisory then sits in the Bugtraq queue waiting for
approval and may from time to time be updated as vendor information
becomes available. The advisory will be released under the following
conditions:

A. COORDINATED RELEASE

This is the best case scenario where the vendor and user have worked to
a succesful conclusion and the advisory will be able to include a vendor
supplied fix or workaround.

B. USER RELEASE

This release is when for whatever reason the user has deemed the vendor
to be uncooperative and has decided to post without vendor support.

C. FORCED RELEASE

This is the release type I alluded to above. This release is posted when
and if the information becomes available elsewhere or where another user
posts to BUGTRAQ with the same problem. Should this happen with a user
posting to BUGTRAQ the party dealing with Vulnhelp will have their
advisory posted at the same time as the others. Therefore, credit is not
lost and the integrity of the process (concerning full disclosure) is not
impinged upon. In the event of a forced release we will post a followup
message explaining in detail why the release was forced.

Should you desire more information on Vulnhelp, please mail us at
vulnhelp () securityfocus com . Our PGP Key is attached.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

mQENAzmdZdsAAAEIAMY6K6rr5xq7unmUYkdHDtme/XhesKrS4hXFZJAFT325Lsix
RXf+Zej+Buyqg2yiTll5EqRyHIqB1RKMgIn5yQmHHNcV7z3sG/Go+LZ9/HLHxbi2
sL9Poew6BV1fM26DswjaTDOCJ2JVZMOZHYNoMpXKRtFw38ZfBn7Bd4L+F6ipOYSu
0Mdb3PYU7GeGG2kYLJa4lw5/5PoOC25Q2+VOQQzvxuzSvtJldM9MMam480LCSJK/
8e51Bgh/Xo9axhu+lwV01sVQLkDbpJo1L3xT8vawvF3j41pD1+5/MZL9lKLEUyCZ
25vhfs2c83T1tvY6zanpd6scNFyUXXmlnNm+btUABRG0QlNlY3VyaXR5Rm9jdXMg
VnVsbmVyYWJpbGl0eSBIZWxwIFRlYW0gPHZ1bG5oZWxwQHNlY3VyaXR5Zm9jdXMu
Y29tPokBFQMFEDmdZdtdeaWc2b5u1QEBB2YH/3zDs7BxqhJgnzSQSG1H+hFFfVgN
3sVw6F8l4vVXHkFC5wABEHLhgwCb+YwM6GYW8FxSfqRS8IEtCinseVr7jNF8io3/
kbsYOY9VrLJo25TVMIElYL15wQ9PsPWMcs7/n3M0vnXSySqwSjVxKeKUm7CG3pBA
EdzRKbWqlJl+EMmjKgPzQAKKMLyHTEeFmgTYVgiZTDo0GvnLHg43yDRNDRIzvweC
/M+71sDh42ntNaC6kvH5oM5g9QVRO9lemaXCcsCfcA4v7lATV5YYKB3k/XTupjGp
Fpu9ol3qmKMcUAe7Ki3L07VhbE+jIHb54mZYQQcTbFu7qnn30XvVO5e6ckQ=
=XqTd
-----END PGP PUBLIC KEY BLOCK-----



Alfred Huger
VP of Engineering
SecurityFocus.com