Full Disclosure mailing list archives
Symantec Buys SecurityFocus, among others....
From: full-disclosure () lists netsys com (Bela Lubkin)
Date: Sat, 20 Jul 2002 01:44:03 -0700
I know better than to step into a discussion like this, but... Advocating "full disclosure" and then trying to restrict the flow of vulnerability information does not make sense! Either you want it fully disclosed to everyone, or you don't. What I seem to hear being advocated is something like "vulnerabilities should be fully disclosed to people who support full disclosure, and _nobody else_". But that is not full disclosure at all, that's a closed, insular universe. There's a lot of anger on this list against "commercial use" of vulnerability information, directed against "security companies". What about commercial software vendors? How can you "protect" exploit information against "commercial use" without also preventing commercial entities like distro houses from using it? If you did somehow successfully prevent the Red Hats, Calderas and Suns from using your exploit information to tighten up their products, in what way would this be a good thing? (A few readers are unconditionally against all commercial software houses; the rest of us are aware of that. If you're unconditionally against it then this is another tiny bit of ammo; fine. I'm trying to ask this question of people who _do_, to whatever degree, appreciate commercial software.) Meanwhile, I haven't heard that Symantec has actually _done_ anything that would harm bugtraq. Instead of boycotting bugtraq, people should continue to use it as before, but keep a sharp eye on it. If you post a vulnerability there, does it show up promptly? Then the list is working as it should, and there's nothing to get so excited about. The list is public -- if your vuln shows up, it's available to everyone, thus proving that Symantec/SecurityFocus are not holding it back in order to gain some sort of advantage in the marketplace. If they _do_ start delaying things, it'll be obvious to participants, and the list will die naturally. It would no longer be serving its purpose, so people would stop using it and it would die. And maybe, just maybe, _this_ list will some day take over the role. Ain't gonna happen any time soon, not when the sound(vuln info):noise (flamewars about who-bought-who) ratio is so low.
Bela<
(yeah, I'm repeating some of what others have said, but -- I hope -- a little more coherently and with a lot less swearing...) Reply-To: /dev/null (this is the wrong venue for this discussion)
Current thread:
- Symantec Buys SecurityFocus, among others., (continued)
- Symantec Buys SecurityFocus, among others. Brian Hatch (Jul 18)
- Symantec Buys SecurityFocus, among others.... Chris Wysopal (Jul 19)
- Symantec Buys SecurityFocus, among others.... full-disclosure () lists netsys com (Jul 19)
- Symantec Buys SecurityFocus, among others.... hellNbak (Jul 19)
- Symantec Buys SecurityFocus, among others.... Chris Wysopal (Jul 19)
- Symantec Buys SecurityFocus, among others.... Christopher Meiklejohn (Jul 19)
- Symantec Buys SecurityFocus, among others.... full-disclosure () lists netsys com (Jul 19)
- Symantec Buys SecurityFocus, among others.... Nexus (Jul 20)
- 99% Peter van den Heuvel (Jul 20)
- Symantec Buys SecurityFocus, among others.... Chris Wysopal (Jul 20)
- Symantec Buys SecurityFocus, among others.... Nexus (Jul 20)
- Symantec Buys SecurityFocus, among others.... Bela Lubkin (Jul 20)
- Message not available
- Symantec Buys SecurityFocus, among others.... martin f krafft (Jul 20)
- Message not available
- Symantec Buys SecurityFocus, among others.... Jack (Jul 20)
- Symantec Buys SecurityFocus, among others.... Jack (Jul 20)
- Symantec Buys SecurityFocus, among others.... Jack (Jul 20)