BugTraq, @Stake differ on vulnerability reports

And we think they're both right

Two respected names in Internet security, SecurityFocus and @Stake, have encountered what we hope will be a brief impasse on the issue of how to share vulnerability reports, into which a great deal of unremunerated work is put.

Recently, @Stake, which also runs the Hacker News Network Web site, submitted an abbreviated notice to the BugTraq mailing list concerning a security hole in AOL's Instant Messenger (AIM) explaining how a malicious URL can be used to take control of someone else's AIM client and run arbitrary code on their machine.

SecurityFocus' Elias Levy, who moderates the BugTraq list, rejected the submission on grounds that it included too little descriptive detail to be appropriate for his subscribers.

@Stake's Weld Pond countered that the submission, while brief, contained a link to the full text on the @Stake Web site so that BugTraq subscribers might easily examine all the gruesome technical details if they pleased.

"We want to draw readers to our Web site to present them with additional helpful information that cannot be accomplished in the mailing list format," Weld Pond told The Register.

And that, of course, is perfectly reasonable.

Levy argues that while "some people....may prefer to receive a short notice instead of the full advisory, that is not the case with BugTraq." It is, rather, "a mailing list for the dissemination and discussion of security vulnerabilities," rather than announcements, he told us.

And that, too, is perfectly reasonable. What we have here is a difference of opinion in which both parties are making sound, rational arguments.

@Stake certainly has every right to influence the way in which their original content is presented by third parties. "We do not wish to have our research work presented as the content of another site that has another company's banner ads or branding around it. If you look at the advisory presentation on our site, there are no ads or marketing messages. It is a strictly academic presentation," Weld Pond told us.

And yet again, Levy made a good point when he noted to us that posting less than the full advisory to the BugTraq list "breaks down the flow of discussion. Now people need to visit the Web site, read the advisory, and if they want to comment copy and paste into a new message."

"For very long we have tolerated the marketing copy on vendor advisories because while annoying they were accompanied by useful information. But in this change there is no value added to list subscribers. It's for this reason that we are not accepting such advisories," Levy added.

This development comes on the heels of a dispute with Microsoft which told BugTraq that MS security advisories may not be reproduced in whole on the list, citing copyright issues, as we reported here.

"I must admit I don't understand the change @Stake made. Microsoft I can understand; @Stake I can't," Levy said.

"I've asked the list subscribers for their opinions. I've received over five-hundred messages to far. While a handful of people liked the notices, the large majority of them, probably around 95 per cent, found the change to be a negative one and want me to hold firm to the policy of not approving them."

Meanwhile, Weld Pond notes that @Stake's work remains freely available on their site. "People can always reference our work and make fair use of it. We do not wish to stop anyone from learning from it or using it to better secure their computing resources or build better security products. This is of course the primary reason we publish our research and make it freely available for all to read. The fundamental values of full disclosure remains unchanged," he told us.

But referencing the work is not the same as reproducing it. So we might conclude that BugTraq's perfectly legitimate posting requirements are simply incompatible with @Stake's perfectly legitimate desire to draw Web surfers to their own site to view the material in the format they prefer.

A recent story by ZD-Net may have added fuel to a fire that doesn't quite exist. "The fight pits the open atmosphere of an Internet mailing list with the proprietary tactics of two corporations that are well-known in the security field, said Elias Levy," ZD-Net wrote.

We were immediately startled by the word "fight" attributed to Levy, who is as peaceable a fellow as one might ever meet.

"I would not call it a feud. There haven't been any unpleasant exchanges. I can't speak for @Stake but I get the impression they may think I am being inflexible. After all, they did modify their notice format once. Maybe I am being inflexible," Levy told us.

Hardly the words of a man girding himself for battle.

We would hope that these two organisations, whose work we admire greatly, will be able to strike a compromise acceptable to both.

"The one compromise that seems obvious and was suggested by several list members -- that of publishing the whole advisory but with a large notice at top pointing people to the @Stake Web site for the most up-to-date information -- seems not to be to @Stake's liking. I don't know that there is a middle ground," Levy said.

Perhaps a copyright notice or 'reproduced by permission' notice would be helpful here; we don't know. But we do know that it would be most unfortunate if anything like the "fight" rumoured to be underway should actually result from what we perceive as a mere difference of opinion.

But we rather think it won't. At a minimum we reckon the two would simply agree to disagree. Not the best of all possible outcomes surely, but certainly not the worst. ®

Sponsored: Today’s most dangerous security threats