[LWN Logo]
[Timeline]
Date:         Tue, 25 Jul 2000 11:46:21 -0700
From: Alfred Huger <ah@SECURITYFOCUS.COM>
Subject:      New reporting service w/ Bugtraq
To: BUGTRAQ@SECURITYFOCUS.COM

Bugtraq users,

 As most of you know traffic on Bugtraq over the last 6 months has reached
record proportions. Obviously this means more and more people are
releasing bugs to the public and more than ever Full Disclosure is
becoming a norm.

 This in our opinion (the SecurityFocus.com team) is a good thing. However
with the influx of new bugs, the reporting of these issues in terms
thoroughness leaves something to be desired. I say this in terms of both
vendor notification and precise descriptions of the problems at
hand. Given that is the case the staff at SecurityFocus have decided to
start a free community based service which will assist people in posting
their bugs. This service is simply a support arm for people wishing to
post vulnerabilities and who want to do it efficiently in a way which
benefits the community the most.

 The service we will be offering is roughly broken down as such:

 1. Vendor contact.

 We will help pin point the appropriate vendor contact for the problem and
can provide a pre-written letter which can be sent to the vendor. Further
we will work with the poster to define what is most likely a reasonable
timelines for vendor response and contingency plans in the event of
uncooperative vendors.

 Beyond this, we can act as a third party observer for the communication
between the vendor and the poster. This may be useful in the event of a
dispute over who said what, when, where etc.

 2. Advisory drafting

 We will help the poster draft the advisory with as much detail as they
can provide and in a format which is hopefully easy to digest. A terrific
number of advisories are being released with little or no coherence, as a
result it makes the message it carries a little less likely to be
digested.

 3. FIRST Team coordination. We will be happy to forward the relevant
details to whichever FIRST Teams have authority over the issues at hands
(most likely CERT/CC)

 We feel that these simple steps should make things a little more
efficient for the community in general and certainly easier for the people
who these problems really impact. The vulnerable users.

 All of these steps will essentially be addressed with form type letters
and help from some of the SecurityFocus.com staff who are familiar with
this type of work. Some points for clarification should be mentioned here:

 1. This is not a pay service in any way shape or form. It's actually
being performed by the staff here outside of our regular work and on a
volunteer basis.

 2. We do not require anything from the poster of the advisory, not
credit, not warm gushy respect, not a single thing. If people use this
service and it ends up helping us all, it's payment enough.

 3. We do not actually post the advisories, that's up to the
discoverer. Our help is entirely behind the scenes.

 4. THIS IS NOT REQUIRED TO POST TO BUGTRAQ. This is simply an available
service, use it or not, it's entirely your call.

 5. If you use the service we still place no restrictions on your post. If
you decide in the middle of the process to post to Bugtraq anyhow, so be
it.

 I do hope some folks will take advantage of this as we really believe it
will help.

 For those who want to use this service feel free from this point on to
mail:

 vulnhelp@securityfocus.com

 We will take it from there.


Alfred Huger
VP of Engineering
SecurityFocus.com