[Full-Disclosure] Re: Announcing new security mailing list

[Matthew S. Hallacy]

On Thu, Jul 11, 2002 at 09:04:21AM -0700, Blue Boar wrote:
> There is no Bugtraq "scheme".  The Bugtraq moderator does not hold any 
> posts.  The poster gets to decide when his informatino is released.  The 
> people who post to Bugtraq as just as able to blindside a vendor as on any 
> other mailing list.
> 
> The closest thing to what you describe that is offered by SecurityFocus is 
> the vulnhelp service.  This is a way for someone who finds a bug to 
> voluntarily dump the hassle of dealing with notifying the vendor and 
> waiting onto the SecurityFOcus staff.  Someone who uses vulnhelp still 
> wants to give the vendor advanced notice, they just don't want to do it 
> themselves.  If they don't want the vendor to have any warning, they just 
> post to Bugtraq.
> 
> 						BB

I disagree, I think my DOCSIS vulnerability posting is a good example of
something that should have gone out immediately, but was /never/ posted.
( I ended up taking it to another list)

It was valid, the vendors knew, but it was withheld because you deemed it
'malicious'.

-- 
Matthew S. Hallacy                            FUBAR, LART, BOFH Certified
http://www.poptix.net                           GPG public key 0x01938203