Re: Announcing new security mailing list

[full-disclosure () lists netsys com (Simon Richter)]

Hi,

>  We are pleased to announce the creation of a new security mailing list
>  dedicated to FULL DISCLOSURE. When Scott Chasin handed over the bugtraq
>  mailing list, it was clearly dedicated to the immediate and full
>  dissemination of security issues. The current bugtraq mailing list has
>  changed over the years, and some of us feel it has changed for the worse.

To me, the term "full disclosure" does not mean "make it available as fast
as possible", but rather "here is the information, expect it to leak in
the next two weeks, so go out and fix the bug". The current bugtraq scheme
enforces that, and I believe they are doing a great job.

By creating a forum in which vulnerability spotters can get "instant
fame", you are forcing software vendors to monitor the forum 24/7, as a
new vulnerability in their software could be disclosed anytime, and at the
moment it is disclosed, script kiddies are hacking it into their scanners
while it could be 4 am in the vendor's timezone. If we are lucky enough
that the vulnerability is spotted by a whitehat, we should not jeopardize
the time advantage we have by announcing it publically.

In short, I think this is a bad idea because it adds confusion for the
vulnerability spotters, risks early disclosure before fixes are available
and thus harms the users.

   Simon

-- 
GPG public key available from http://phobos.fs.tum.de/pgp/Simon.Richter.asc
 Fingerprint: 040E B5F7 84F1 4FBC CEAD  ADC6 18A0 CC8D 5706 A4B4