5299948 2000-07-25 23:16 /89 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <11922> Ärende: New reporting service w/ Bugtraq ------------------------------------------------------------ From: Alfred Huger <ah@SECURITYFOCUS.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <Pine.GSO.4.21.0007251145001.4560-100000@mail> Bugtraq users, As most of you know traffic on Bugtraq over the last 6 months has reached record proportions. Obviously this means more and more people are releasing bugs to the public and more than ever Full Disclosure is becoming a norm. This in our opinion (the SecurityFocus.com team) is a good thing. However with the influx of new bugs, the reporting of these issues in terms thoroughness leaves something to be desired. I say this in terms of both vendor notification and precise descriptions of the problems at hand. Given that is the case the staff at SecurityFocus have decided to start a free community based service which will assist people in posting their bugs. This service is simply a support arm for people wishing to post vulnerabilities and who want to do it efficiently in a way which benefits the community the most. The service we will be offering is roughly broken down as such: 1. Vendor contact. We will help pin point the appropriate vendor contact for the problem and can provide a pre-written letter which can be sent to the vendor. Further we will work with the poster to define what is most likely a reasonable timelines for vendor response and contingency plans in the event of uncooperative vendors. Beyond this, we can act as a third party observer for the communication between the vendor and the poster. This may be useful in the event of a dispute over who said what, when, where etc. 2. Advisory drafting We will help the poster draft the advisory with as much detail as they can provide and in a format which is hopefully easy to digest. A terrific number of advisories are being released with little or no coherence, as a result it makes the message it carries a little less likely to be digested. 3. FIRST Team coordination. We will be happy to forward the relevant details to whichever FIRST Teams have authority over the issues at hands (most likely CERT/CC) We feel that these simple steps should make things a little more efficient for the community in general and certainly easier for the people who these problems really impact. The vulnerable users. All of these steps will essentially be addressed with form type letters and help from some of the SecurityFocus.com staff who are familiar with this type of work. Some points for clarification should be mentioned here: 1. This is not a pay service in any way shape or form. It's actually being performed by the staff here outside of our regular work and on a volunteer basis. 2. We do not require anything from the poster of the advisory, not credit, not warm gushy respect, not a single thing. If people use this service and it ends up helping us all, it's payment enough. 3. We do not actually post the advisories, that's up to the discoverer. Our help is entirely behind the scenes. 4. THIS IS NOT REQUIRED TO POST TO BUGTRAQ. This is simply an available service, use it or not, it's entirely your call. 5. If you use the service we still place no restrictions on your post. If you decide in the middle of the process to post to Bugtraq anyhow, so be it. I do hope some folks will take advantage of this as we really believe it will help. For those who want to use this service feel free from this point on to mail: vulnhelp@securityfocus.com We will take it from there. Alfred Huger VP of Engineering SecurityFocus.com (5299948) ------------------------------------------(Ombruten)