Microsoft (MSFT) last week pared down the security warnings it sends by email to the Bugtraq and NT-Bugtraq mailing lists as well as to 130,000 other subscribers who want to know about vulnerabilities and fixes to Microsoft software, said Scott Culp, Microsoft's security program manager. Instead, the emails include a link to a Web page with additional details.
Microsoft made the change so customers get the most up-to-date and accurate information rather than potentially out-of-date news from an archived email. "The goal is to make sure the information is as useful as it can be, it's timely, and it's accurate," he said.
But he acknowledged Microsoft still must send new email out if the Web site changes.
Bugtraq moderator Elias Levy thought the change was a step in the wrong direction. "I will no longer be approving any advisories with little or no content that point you to some other place for information," he said in a posting Wednesday. The change meant information is a step farther away, not archived and available in a single central source that might not always be available, he said.
The dispute marks another chapter in the sometimes rocky relationship between Microsoft and security experts. While outside programmers often find problems with Microsoft's software, sometimes they earn Microsoft's ire by publishing the vulnerability before Microsoft has time to fix it.
Levy wasn't the only one to complain. In a note Friday, programmer Forrest Cavalier voted to resurrect the older format, saying Microsoft has been known to move Web pages so older addresses no longer work. "There was a time that Microsoft URLs had a half-life of a few months," he said.
Russ Cooper, moderator of a different security mailing list called NT-Bugtraq, applauded Microsoft's change. "Its very easy to have conflicting information about the scope of a vulnerability depending on which email version of the bulletin you're looking at," he said in a Wednesday posting.
Culp, who spoke Friday with Levy at a Microsoft security conference, said Microsoft expects to change the format of the advisories to compromise. "There's a trade-off between how often can you send the (advisory) vs. the extra step of going to the Web page. Somewhere in there is a middle ground," Culp said.
Levy began posting text versions of the Microsoft Web pages, but he said Microsoft told him "in no uncertain terms" that reproducing the information "would be considered an act of copyright violation."
"So until Microsoft changes their policy or changes their email bulletins back to the old format, you won't see them on the list," Levy said.
Microsoft is seeking email comment on the new advisory format. About 1,500 people so far have sent their opinions to the firstname.lastname@example.org email address, he said.
Levy couldn't be reached for comment on Friday.
Another change that comes with the new format is that Microsoft can track who is reading its Web advisories through the use of invisible tracking software called Web bugs, according to Privacy Foundation chief technology officer Richard Smith, who noted that he didn't see that as "a big deal."
"One thing that Microsoft is learning here is what bulletins people consider important," he said in a posting to Bugtraq. "With the older format, where all the info was in an email message, they did not get this feedback."