VulnWatch - We now do Windows.

Effective immediately, we will now begin to cover Microsoft security
issues on VulnWatch. This does not mean that you will start to see MS
Security Bulletins but you will start to see legitimate advisories on
serious issues that effect users of Microsoft operating systems.

While I am on the topic of legitimate issues, I want to clarify the
VulnWatch policy for approving posts.

The purpose of VulnWatch was to create a non-commercial mailing list
that people can rely on to get the information they need in an
efficient manner. We do not want to flood the list of subscribers
with 30+ messages a day on some obscure package or some obscure
unexploitable vulnerability. If, someone sends a post that is a true
vulnerability on a package that is actually used it will hit the list.

Also, we are trying hard not to become PatchWatch -- that is, we do not
want to flood you with the various vendor patch announcements. You should
only see a patch announcement if it is attached to a new and unannounced
vulnerability.

There are three of us, Chris Wysopal, Rain.Forest.Puppy, and myself,
we will try our best but we won't be right 100% of the time so if you
think we have not approved your post and should have, feel free to email
us.

We have also had a recent upsurge in fake advisories, Trojan exploit
code, and irresponsible disclosures. The moderators of the list do
their best to validate each post, but, our goal is to get the
information out to the public as quickly as possible so in a lot of
cases we might miss something, if in doubt, we would rather approve a
message than not approve a message. For those of you who seem to get
joy from sending fake advisories, you know who you are, do this a few
times and obviously we will begin to automatically send your messages
to /dev/null/ without even looking at them.

Download and use exploit code at your own risk. Running code from an
untrusted source must be done very carefully. This goes for exploit
code too.

Now, a word about irresponsible disclosure;

It is not the moderator's job, nor is it practical that we ensure that
the researcher has been responsible with his finding. While I personally,
as do the other moderators of the list, encourage responsible vulnerability
disclosure, I cannot force and will not attempt to force my will on
others. You can find suggested disclosure policies at
www.vulnwatch.org/disclosure.html#papers

Sorry for the extra message traffic, I hope everyone has a happy
holiday and actually gets to take some time off over the next couple
of weeks.

Regards,

Steve Manzuik
Moderator - VulnWatch
stevevulnwatch.org
www.vulnwatch.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]