Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634

[Peter Barker <pbarker () BARKER DROPBEAR ID AU>]

On Mon, 4 Sep 2000, Warner Losh wrote:

> I know that various groups in the past have tried to strike a balance
> between vendor coordination and forcing a release to spur the vendors

...

> What's really needed is a vulnerability stamping service :-).  In the

I've thought that a bugtraq "delayed-action" script could do this.

Mail to, for example, "bugraq-14days () securityfocus com" would be
acknowledged by the server as being in the queue to be posted to
"bugtraq () securityfocus com" after (guess!) 14 days. A warning at 1 day may
also be sent to the advisory author.

Upon posting, original receipt date of the post should be obvious.

A "key" could be issued which, if used, should indicate to the list server
that the advisory should be broken out of the queue and posted to the
list.

This should do three things:

 - establish (for those need the ego-boost) who got in first with a
compromise
 - give the vendor time to respond
 - if cc'd to the appropriate contact for the compromised software, gives
them a date to work to - and a sword over their heads.

> Warner

Yours,
--
Peter Barker                          |   N    _--_|\ /---- Barham, Vic
Programmer,Sysadmin,Geek              | W + E /     /\
pbarker-btq () barker dropbear id au     |   S   _,--?_*<-- Canberra
You need a bigger hammer.             |             v    [35S, 149E]
"Note: Silencing the alarm does not solve the problem that caused it."
 -- Sola (UPS) Users Guide