Symantec Buys SecurityFocus, among others....

[full-disclosure () lists netsys com (Bela Lubkin)]

I know better than to step into a discussion like this, but...

Advocating "full disclosure" and then trying to restrict the flow of
vulnerability information does not make sense!  Either you want it fully
disclosed to everyone, or you don't.  What I seem to hear being
advocated is something like "vulnerabilities should be fully disclosed
to people who support full disclosure, and _nobody else_".  But that is
not full disclosure at all, that's a closed, insular universe.

There's a lot of anger on this list against "commercial use" of
vulnerability information, directed against "security companies".  What
about commercial software vendors?  How can you "protect" exploit
information against "commercial use" without also preventing commercial
entities like distro houses from using it?

If you did somehow successfully prevent the Red Hats, Calderas and Suns
from using your exploit information to tighten up their products, in
what way would this be a good thing?  (A few readers are unconditionally
against all commercial software houses; the rest of us are aware of
that.  If you're unconditionally against it then this is another tiny
bit of ammo; fine.  I'm trying to ask this question of people who _do_,
to whatever degree, appreciate commercial software.)

Meanwhile, I haven't heard that Symantec has actually _done_ anything
that would harm bugtraq.

Instead of boycotting bugtraq, people should continue to use it as
before, but keep a sharp eye on it.  If you post a vulnerability there,
does it show up promptly?  Then the list is working as it should,
and there's nothing to get so excited about.  The list is public --
if your vuln shows up, it's available to everyone, thus proving that
Symantec/SecurityFocus are not holding it back in order to gain some
sort of advantage in the marketplace.

If they _do_ start delaying things, it'll be obvious to participants,
and the list will die naturally.  It would no longer be serving its
purpose, so people would stop using it and it would die.

And maybe, just maybe, _this_ list will some day take over the role.
Ain't gonna happen any time soon, not when the sound(vuln info):noise
(flamewars about who-bought-who) ratio is so low.

> Bela<

(yeah, I'm repeating some of what others have said, but -- I hope -- a
little more coherently and with a lot less swearing...)

Reply-To: /dev/null  (this is the wrong venue for this discussion)