Symantec Defends Bugtraq

View Poll Results: Is The Question Addressed Correctly?

Voters
5. You may not vote on this poll
  • Yes

    3 60.00%
  • No

    2 40.00%
Results 1 to 6 of 6

Thread: Symantec Defends Bugtraq

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830

    Symantec Defends Bugtraq

    A Danish company, Secunia, is starting their own vulnerabilities list because of what they perceive as bias from SecurityFocus since being bought by Symantec:

    "The problem with SecurityFocus is not that they moderate the lists, but the fact that they deliberately delay and partially censor the information," said Thomas Kristensen, CTO of Secunia, based in Copenhagen, Denmark. "Since they were acquired by Symantec they changed their policy regarding BugTraq. Before they used to post everything to everybody at the same time. Now they protect the interests of Symantec, delay information and inform their customers in advance."
    Former SecurityFocus CEO, Art Wong (now a VP with Symantec) said:

    "What I can tell you is that we never delay posting any message to BugTraq. And everyone gets access to the messages at the same time
    Here is the article: Symantec Defends Bugtraq Policies

    I am curious whether anyone else feels that SecurityFocus/Bugtraq is now withholding info that may compete with or embarass Symantec or if you feel that they delay the release of information so they can notify their paying customers first.

    Vote in the poll so we can see what the AntiOnline community thinks of SecurityFocus under new ownership.


  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    First off I belive Secunia are not starting there own vulnerability list but are just collecting everyone elses into one place. But in their credit it is free!

    From there web site
    Secunia is collecting the information from many different security mailing lists, vendor mailing lists, vendor websites, product changelogs etc.
    So vulnerabilities that go come from bugtraq they will get at the same time as everyone else, unless they have paided for securityfocues alerting service.

    Now securityfocus still provide a seachable free database off vulnerabilites http://www.securityfocus.com/bid which is also free, however it a about 1 - 2 days behind the bugtraq info

    And from a little bit of reasearch Secunia are about a day behind security focus

    So lets call it a draw between security focus and Secunia in terms of what they offer free.


    However I belive that Secunia are just trying to market themselfs, it appears that there is not a lot of fact behind their claims.

    My 2 cents worth

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  3. #3
    Junior Member
    Join Date
    Mar 2003
    Location
    Kelowna, BC Canada
    Posts
    8

    Hmmm..

    quote:

    "The problem with SecurityFocus is not that they moderate the lists, but the fact that they deliberately delay and partially censor the information," said Thomas Kristensen, CTO of Secunia, based in Copenhagen, Denmark. "Since they were acquired by Symantec they changed their policy regarding BugTraq. Before they used to post everything to everybody at the same time. Now they protect the interests of Symantec, delay information and inform their customers in advance."


    If the US scientist learned a giant asteroid was coming for earth, but chose to sell the information to CNN versus MSNBC cause they paid more, and as a result slowed the public
    response to the threat and lessened people's chance of survivial, this would indeed, suck ass.

    Sure, virus warnings and cosmic collisions are different, but, they both deal with critical information. Critical information affecting everyones' lives and livelyhoods should be shared freely without any string attatched.

  4. #4
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    Sure, virus warnings and cosmic collisions are different, but, they both deal with critical information. Critical information affecting everyones' lives and livelyhoods should be shared freely without any string attatched.
    I just had a discussion with my customer on a similar topic. It had to do with our response process when there is a new threat- virus or vulnerability exploit or otherwise.

    On the one hand, we want to ensure that the threat is confirmed by a credible source. For a virus you might consider that to be the major AV software vendors- McAfee, Symantec, etc. However, there is a delay between the time that word of the threat hits the street and the time that the vendors generally acknowledge the threat. It isn't always because they want to sell to the highest bidder or serve their paying customers first. They have to get a copy of the threat, reverse engineer it, draw up an assessment and hopefully create their virus file update to handle the threat before they go public.

    So, we have to balance the credibility of the source of notification of the threat with the damage that could be done while we wait for the vendors to get their ducks in a row and alert the world.

    Similarly, the industry and software vendors are aware of many vulnerabilities in their software. They may sit on that information for months while they work on researching and developing a patch. On the one hand, you can argue that this information should be made available ASAP- especially to customers. The vendors however want to keep it "secret" until the patch is ready so that they don't announce a vulnerability for which there is no fix.

    To me, that is 6 of one and half a dozen of the other. The hacker community that would exploit the vulnerability maliciously is most likely already aware of it- so the "secret" isn't being kept from them. But, to announce a vulnerability for which a patch won't be available for weeks would cause a panic.

    In short, I don't necessarily think they delay releasing information out of greed as much as it is to cover their ass and make sure they have the right answer and the right solution before announcing there is a problem.

  5. #5
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    1st- thanx for the tip toneybradley!
    ---------------------------------------------
    Now, could this be tested, that is the delay/censorship?

    Do they delay all info, or just some?
    >Is it only their products, or all commercial products?

    Post something on bugtraq, does it take any longer than it used to?
    > need help on this, while i'm signed up for the list i've never posted anything...

    What other vuln lists are credible?
    >Where else are we going to get our news?
    yeah, I\'m gonna need that by friday...

  6. #6
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    Originally posted here by tampabay420
    1st- thanx for the tip toneybradley!
    ---------------------------------------------
    Now, could this be tested, that is the delay/censorship?

    Do they delay all info, or just some?
    >Is it only their products, or all commercial products?

    Post something on bugtraq, does it take any longer than it used to?
    > need help on this, while i'm signed up for the list i've never posted anything...

    What other vuln lists are credible?
    >Where else are we going to get our news?
    I think some sort of test would be interesting. However, like you I receive the messages from a lot of their lists, but I haven't posted anything so I wouldn't be able to tell if there was a difference between now and how they used to be.

    I have tried to post stuff related to articles or papers I have done and had it rejected. I know they use their mailing lists to send out notifications for their own articles and papers, so I thought it seemed a little monopolistic. But, maybe they just didn't like my article or the thread was closed. I don't have much of a frame of reference.

    I would also love to see anyone else's input on alternate sources of info. I am sure there are plenty out there- but does anyone have a recommendation for a resource that is timely, accurate and credible?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides