Feeds

BugTraq, @Stake differ on vulnerability reports

And we think they're both right

  • alert
  • submit to reddit

Boost IT visibility and business value

Two respected names in Internet security, SecurityFocus and @Stake, have encountered what we hope will be a brief impasse on the issue of how to share vulnerability reports, into which a great deal of unremunerated work is put.

Recently, @Stake, which also runs the Hacker News Network Web site, submitted an abbreviated notice to the BugTraq mailing list concerning a security hole in AOL's Instant Messenger (AIM) explaining how a malicious URL can be used to take control of someone else's AIM client and run arbitrary code on their machine.

SecurityFocus' Elias Levy, who moderates the BugTraq list, rejected the submission on grounds that it included too little descriptive detail to be appropriate for his subscribers.

@Stake's Weld Pond countered that the submission, while brief, contained a link to the full text on the @Stake Web site so that BugTraq subscribers might easily examine all the gruesome technical details if they pleased.

"We want to draw readers to our Web site to present them with additional helpful information that cannot be accomplished in the mailing list format," Weld Pond told The Register.

And that, of course, is perfectly reasonable.

Levy argues that while "some people....may prefer to receive a short notice instead of the full advisory, that is not the case with BugTraq." It is, rather, "a mailing list for the dissemination and discussion of security vulnerabilities," rather than announcements, he told us.

And that, too, is perfectly reasonable. What we have here is a difference of opinion in which both parties are making sound, rational arguments.

@Stake certainly has every right to influence the way in which their original content is presented by third parties. "We do not wish to have our research work presented as the content of another site that has another company's banner ads or branding around it. If you look at the advisory presentation on our site, there are no ads or marketing messages. It is a strictly academic presentation," Weld Pond told us.

And yet again, Levy made a good point when he noted to us that posting less than the full advisory to the BugTraq list "breaks down the flow of discussion. Now people need to visit the Web site, read the advisory, and if they want to comment copy and paste into a new message."

"For very long we have tolerated the marketing copy on vendor advisories because while annoying they were accompanied by useful information. But in this change there is no value added to list subscribers. It's for this reason that we are not accepting such advisories," Levy added.

This development comes on the heels of a dispute with Microsoft which told BugTraq that MS security advisories may not be reproduced in whole on the list, citing copyright issues, as we reported here.

"I must admit I don't understand the change @Stake made. Microsoft I can understand; @Stake I can't," Levy said.

"I've asked the list subscribers for their opinions. I've received over five-hundred messages to far. While a handful of people liked the notices, the large majority of them, probably around 95 per cent, found the change to be a negative one and want me to hold firm to the policy of not approving them."

Meanwhile, Weld Pond notes that @Stake's work remains freely available on their site. "People can always reference our work and make fair use of it. We do not wish to stop anyone from learning from it or using it to better secure their computing resources or build better security products. This is of course the primary reason we publish our research and make it freely available for all to read. The fundamental values of full disclosure remains unchanged," he told us.

But referencing the work is not the same as reproducing it. So we might conclude that BugTraq's perfectly legitimate posting requirements are simply incompatible with @Stake's perfectly legitimate desire to draw Web surfers to their own site to view the material in the format they prefer.

A recent story by ZD-Net may have added fuel to a fire that doesn't quite exist. "The fight pits the open atmosphere of an Internet mailing list with the proprietary tactics of two corporations that are well-known in the security field, said Elias Levy," ZD-Net wrote.

We were immediately startled by the word "fight" attributed to Levy, who is as peaceable a fellow as one might ever meet.

"I would not call it a feud. There haven't been any unpleasant exchanges. I can't speak for @Stake but I get the impression they may think I am being inflexible. After all, they did modify their notice format once. Maybe I am being inflexible," Levy told us.

Hardly the words of a man girding himself for battle.

We would hope that these two organisations, whose work we admire greatly, will be able to strike a compromise acceptable to both.

"The one compromise that seems obvious and was suggested by several list members -- that of publishing the whole advisory but with a large notice at top pointing people to the @Stake Web site for the most up-to-date information -- seems not to be to @Stake's liking. I don't know that there is a middle ground," Levy said.

Perhaps a copyright notice or 'reproduced by permission' notice would be helpful here; we don't know. But we do know that it would be most unfortunate if anything like the "fight" rumoured to be underway should actually result from what we perceive as a mere difference of opinion.

But we rather think it won't. At a minimum we reckon the two would simply agree to disagree. Not the best of all possible outcomes surely, but certainly not the worst. ®

The Essential Guide to IT Transformation

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Sonos AXES support for Apple's iOS4 and 5
Want to use your iThing? You can't - it's too old
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
Joe Average isn't worth $10 a year to Mark Zuckerberg
The Social Network deflates the PC resurgence with mobile-only usage prediction
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.