Symantec Buys SecurityFocus, among others..

[full-disclosure () lists netsys com (Ed Moyle)]

On Thursday, July 18, 2002 09:40, HggdH [mailto:hggdh () attbi com] wrote:

> Again, please remember -- if Symantec decides to censor BUGTRAQ... they will
> have killed it in a more effective way than any other. BUGTRAQ is followed
> not because it is SecurityFocus, but because it is BUGTRAQ. If BUGTRAQ will
> bite the dust, or not, will (hopefully) depend on what Symantec forces in. I
> certainly hope it will not die because of what one thinks it is, or is not.
> This would be pure prejudice.

In my humble opinion, it seems like it could be a major conflict of interest
to have the primary vulnerability reporting outlet controlled by a party who
also makes vulnerability scanning and intrusion detections products.  This has 
always been the case under SF, but it is *really* bad now.  Note that
Symantec also announced purchases of Riptech and Recourse yesterday.

It would seem that Symantec would have an edge in updating their product line
before competitors have a chance to update theirs...  Also, not to be cynical
but they have an economic incentive to "play games" with vulnerabilities 
reported through outlets they control (keep in mind that there are no guarantees
about timeliness with respect to when the moderator must act on messages.)  I'm
not saying they would do this; I'm just saying that they would have economic
incentive to do so.

Throughout the years, I have always used BugTraq as a means to "give back" to 
the community; I do not appreciate my gift of free research to the community 
being used to make other people money.  Something needs to be done.  Hopefully,
this list is the answer.

-E