On Thu, Jul 18, 2002 at 10:36:56AM +0200, Michel Arboi wrote:
> OK, should we try to launch a new mailing list?
No. We could change the way plugins-writers@ works, so that we forward
advisories over there and people discuss about them until someone comes
up with a tested plugin, but that's all. There are already other mailing
lists (vulnwatch, full-disclosure), but none of them has the quality
bugtraq had in the late 90's. Why ? Because researchers have turned into
security consultants which consider private exploits as a monetary
value (which unfortunately is right). So "sexy" advisories are kept
unpublished, and we end up with ten advisories per day about cross site
scripting or about directory traversals in unused sharewares.
While I don't understand how a company in the real world may accept
"private patches"(*) from security consultants, this is how it
works (and the problem is that the few researchers-consultants I've been
talking to fail to realize why it's STUPID to add local modifications to the
source code of a service that is in production).
Launching a new mailing list will just add more confusion. We already
have to subscribe to dozens of mailing lists, let's not add one.
However, changing the way plugins-writers works will be necessary and
useful.
-- Renaud
(*) Or just "your webserver sucks, use something else" as a solution.
