BugTraq tiff 'a slippery slope'?

After being snubbed by Microsoft, the popular BugTraq security list gets a cold shoulder from @Stake. A moderator says things could go downhill from here

A week after banning Microsoft from a popular security mailing list, the moderator of the BugTraq list has refused to post advisories from a second company, @Stake.

The fight pits the open atmosphere of an Internet mailing list with the proprietary tactics of two corporations that are well-known in the security field, said Elias Levy, chief technology officer of SecurityFocus.com and moderator of the BugTraq security list.

Both Microsoft and @Stake posted advisories that summarised a particular flaw and directed readers back to the companies' Web sites.

"This is just going to become a slippery slope," he said. "The information will go someplace else, and that will really affect the value of the list."

Two weeks ago, Microsoft changed its procedure for posting security bulletins to mailing lists. Instead of full descriptions of the problems and solutions, the giant described a problem and referred the reader back to the Microsoft Web site.

The change made sense for the customers, said Steven Lipner, manager of Microsoft's Security Response Center, during an interview last week. "If we post an advisory with an error in it, we would have to go out and get the information changed where ever else it may be mirrored."

Levy didn't agree with Microsoft's logic.

On Thursday, Levy banned the software giant from posting further advisories until its Vulnerability Response Center agreed to include more information in its advisories.

The scene replayed itself this week.

On Tuesday, Levy refused to post an advisory from security services firm @Stake regarding a flaw in America Online's Instant Messenger service. The advisory did not give a detailed description of the flaw, nor any remedy, unless the reader followed a link to the @Stake site.

"Weld Pond", who uses his hacker handle and is director of vulnerability research for @Stake, said the advisory explains enough of the problem for any administrator to gauge whether the flaw should pose a concern.

"I think everyone out there knows that we are committed to full disclosure and the concept of freely available security advisories," Pond said in a Wednesday posting to BugTraq. "What we are doing is adding more information than we have in the past and we are adding it on our Web site."

Yet, Levy remains unconvinced.

"Imagine if all advisory publishers decided to make this change," he said in a Wednesday posting to the BugTraq list. "I fear such change would create friction that would diminish valuable discussion on the list and erode the BugTraq community."

Take me to ZDNet Enterprise

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.