Re: Announcing new security mailing list

[full-disclosure () lists netsys com (Blue Boar)]

Matthew S. Hallacy wrote:
> I disagree, I think my DOCSIS vulnerability posting is a good example of
> something that should have gone out immediately, but was /never/ posted.
> ( I ended up taking it to another list)
>
> It was valid, the vendors knew, but it was withheld because you deemed it
> 'malicious'.

"You", meaning who?  Not I.. it went to my list:
http://online.securityfocus.com/archive/82/261280

I have my own set of (often harsher) standards for what posts I allow on 
vuln-dev... but that has nothing to do with Bugtraq.

I assume you mean Dave, whose reply is here:
http://online.securityfocus.com/archive/82/261454

I suppose you can accuse him of not stating his standards well enough up 
front for what kinds of messages he considers fraud instructions.

I might not have approved the original message either.  For messages like 
that, I'm often torn between my policy of not allowing posts that tell that 
a particular site is vulnerable to a hole only they can fix, and allowing 
the poster to implicate themself for the poking around they've done.  It 
kinda depends if I feel like I've been made an accessory.  If so, I'll 
usually approve it for the world to see.  Or, maybe forward to the FBI.  I 
haven't had occasion to do the latter yet.

The point being, that has nothing to do with the Bugtraq moderator holding 
posts so he can warn a vendor to make a fix.

In your case, if I'm reading the headers correctly, there were only about 6 
hours between when you sent the note to Bugtraq, and decided it wasn't 
going to be posted?

                                                        BB