Bugtraq mailing list archives

Re: What is the point here?

From: Systems Administrator <sysadmin () sunet com au>
Date: Tue, 20 Jan 2004 09:54:56 +1100 (EST)

On Sun, 18 Jan 2004, Alun Jones wrote:

I'd like to think that Bugtraq positions itself as something more than a
semi-sneaky, behind-the-back-of-the-vendors rant group, or an assembly point
for root-kit starters.  Moderators, please stop accepting posts where the
poster has stated specifically that they have not yet notified the vendor,


        The problem with this, of course, is that the security hole 
exists, but the whitehats (ie. us) haven't been generally notified.  I 
agree that in a perfect world, everyone should notify the vendor first.  
But a lot of people, if they got knocked back, and told to follow proper 
procedure, would just say "Ah well, I don't have time for that".  My 
understanding of Bugtraq is that it is to provide timely information on 
potential problems, and allow workarounds (ie. turn off javascript, or 
whatever it happens to be).

or where the only new thing that is contributed is a more insidious version
of an existing exploit.  And posters, please consider carefully before you


        I agree on this one -- if an exploit only functions under some 
circumstances (OS specific is a good example), then making it function 
under a wider range of circumstances is good because it allows people to 
see that they're vulnerable where they might've thought otherwise.  But 
posting an exploit that drops a root shell -- well, I wonder whether these 
shouldn't be rejected even if they are the first POC -- it shouldn't be 
too hard for the POC writer to change their code so that it doesn't.

post whether what you post is going to contribute to an increase in security
or a decrease in security.  If you cannot claim that your post will help to
improve security, then do us a favour and take it somewhere else.


        I agree, although I think I'd phrase that as "enable the whitehats
to deal with their security situation better".  

        Thanks,

-- 
Tim Nelson
Systems Administrator
Sunet Internet
Tel: +61 3 5241 1155
Fax: +61 3 5241 6187
Web: http://www.sunet.com.au/
Email: sysadmin () sunet com au

Current thread:

exploit for HD Soft Windows FTP Server 1.6 mandrag (Jan 13)
- What is the point here? Alun Jones (Jan 19)
  - RE: What is the point here? Andrew Hintz ( Drew ) (Jan 19)
  - RE: What is the point here? ken kousky (Jan 19)
    - Re: What is the point here? Adam Shostack (Jan 20)
  - Re: What is the point here? Systems Administrator (Jan 19)
  - Re: What is the point here? Mariusz Woloszyn (Jan 20)
  - Re: What is the point here? Damian Menscher (Jan 20)
  - Re: What is the point here? Jason Coombs (Jan 21)