Security Mailing Lists Come Under Fire

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,974781,00.asp

By Dennis Fisher
March 25, 2003 

A Danish security company, angry over what it perceives as censorship 
on several popular mailing lists, is launching "a revolution to remove 
SecurityFocus and CERT from power." 

At present, the revolution consists of a new mailing list that will 
aggregate vulnerability advisories and other security-related reports 
from a variety of sources. Employees of Secunia Ltd. will take 
advisories from these sources, research and verify them and then 
submit them to the new list. 

The list, known as the Secunia Security Advisories List, is designed 
to compete with lists such as SecurityFocus' BugTraq and to complement 
more open lists, including VulnWatch and Full-Disclosure, Secunia 
executives say. Company executives are upset with the direction that 
BugTraq has taken since Symantec Corp. acquired SecurityFocus last 
year. 

"The problem with SecurityFocus is not that they moderate the lists, 
but the fact that they deliberately delay and partially censor the 
information," said Thomas Kristensen, chief technology officer of 
Secunia, based in Copenhagen, Denmark. "Since they were acquired by 
Symantec, they changed their policy regarding BugTraq. Before they 
used to post everything to everybody at the same time. Now they 
protect the interests of Symantec, delay information and inform their 
customers in advance. This is a problem as only companies who pay over 
$30,000 can get access to this information." 

Unlike some other security lists, BugTraq is actively moderated and 
therefore not every submission makes it onto the list. 

Full-Disclosure, for instance, is only lightly moderated, meaning that 
virtually all posts are approved and immediately sent to subscribers. 

SecurityFocus officials did not respond to a request for comment on 
this story. 

Secunia officials also take the CERT Coordination Center to task for 
its policy of providing some organizations with advance notice of 
vulnerability reports as part of a fee-based program in cooperation 
with the Internet Security Alliance. 

"At Secunia we feel that SecurityFocus has betrayed the community it 
used to serve so loyally, that's why we started Secunia," said 
Kristensen. "I believe that security information should be free, so 
that administrators can patch their systems and software developers 
can learn from the mistakes made by others." 

Secunia is a provider of security services and tools. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.