Bugtraq mailing list archives
Policy Addition to VulnHelp - Please read
From: Alfred Huger <ah () SECURITYFOCUS COM>
Date: Mon, 4 Sep 2000 13:52:19 -0700
Hey Folks, As most of you know several weeks ago I posted an announcement to the list about a new service BUGTRAQ would be offering called Vulnhelp. The post can be read at: http://www.securityfocus.com/archive/1/71918 If you rely on Bugtraq for information, post vulnerabilities to it or in general follow it please read the post as it will make the rest of this message more coherent for you. In short - we have decided to amend the current Vulnhelp posting policy to include the ability for people working with vendors to not lose credit for the discovery of vulnerabilities. The Vulnhelp service has been brought about to help users who discover bugs work with vendors to hopefully generate fixes before a bug is posted. To this end, any user who is working with Vulhelp and a vendor(s) will not have credit scooped from them on the list. We intend go about this in the following manner: Initial Contact - Advisory Drafting - Release Rules People who contact Vulnhelp should be doing so with something they have verified to be a bug. We will then work with them in addressing initial concerns of the advisory and coordinating the contacts involved. We will then draft an advisory which is for lack of a better term a 'living document' this advisory then sits in the Bugtraq queue waiting for approval and may from time to time be updated as vendor information becomes available. The advisory will be released under the following conditions: A. COORDINATED RELEASE This is the best case scenario where the vendor and user have worked to a succesful conclusion and the advisory will be able to include a vendor supplied fix or workaround. B. USER RELEASE This release is when for whatever reason the user has deemed the vendor to be uncooperative and has decided to post without vendor support. C. FORCED RELEASE This is the release type I alluded to above. This release is posted when and if the information becomes available elsewhere or where another user posts to BUGTRAQ with the same problem. Should this happen with a user posting to BUGTRAQ the party dealing with Vulnhelp will have their advisory posted at the same time as the others. Therefore, credit is not lost and the integrity of the process (concerning full disclosure) is not impinged upon. In the event of a forced release we will post a followup message explaining in detail why the release was forced. Should you desire more information on Vulnhelp, please mail us at vulnhelp () securityfocus com . Our PGP Key is attached. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> mQENAzmdZdsAAAEIAMY6K6rr5xq7unmUYkdHDtme/XhesKrS4hXFZJAFT325Lsix RXf+Zej+Buyqg2yiTll5EqRyHIqB1RKMgIn5yQmHHNcV7z3sG/Go+LZ9/HLHxbi2 sL9Poew6BV1fM26DswjaTDOCJ2JVZMOZHYNoMpXKRtFw38ZfBn7Bd4L+F6ipOYSu 0Mdb3PYU7GeGG2kYLJa4lw5/5PoOC25Q2+VOQQzvxuzSvtJldM9MMam480LCSJK/ 8e51Bgh/Xo9axhu+lwV01sVQLkDbpJo1L3xT8vawvF3j41pD1+5/MZL9lKLEUyCZ 25vhfs2c83T1tvY6zanpd6scNFyUXXmlnNm+btUABRG0QlNlY3VyaXR5Rm9jdXMg VnVsbmVyYWJpbGl0eSBIZWxwIFRlYW0gPHZ1bG5oZWxwQHNlY3VyaXR5Zm9jdXMu Y29tPokBFQMFEDmdZdtdeaWc2b5u1QEBB2YH/3zDs7BxqhJgnzSQSG1H+hFFfVgN 3sVw6F8l4vVXHkFC5wABEHLhgwCb+YwM6GYW8FxSfqRS8IEtCinseVr7jNF8io3/ kbsYOY9VrLJo25TVMIElYL15wQ9PsPWMcs7/n3M0vnXSySqwSjVxKeKUm7CG3pBA EdzRKbWqlJl+EMmjKgPzQAKKMLyHTEeFmgTYVgiZTDo0GvnLHg43yDRNDRIzvweC /M+71sDh42ntNaC6kvH5oM5g9QVRO9lemaXCcsCfcA4v7lATV5YYKB3k/XTupjGp Fpu9ol3qmKMcUAe7Ki3L07VhbE+jIHb54mZYQQcTbFu7qnn30XvVO5e6ckQ= =XqTd -----END PGP PUBLIC KEY BLOCK----- Alfred Huger VP of Engineering SecurityFocus.com
Current thread:
- Policy Addition to VulnHelp - Please read Alfred Huger (Sep 04)