Creating an Open Alternative to Bugtraq? 25
mbogosian asks: "I am not a sysadmin, nor am I a security expert, but I appreciate those who are. In response to a recent story, I went out and registered two domain names: opentraq.org and opentraq.net. I am hereby throwing down the gauntlet: I am willing to have them resolve to DNS servers belonging to a group of volunteers who wish to start and maintain an Open alternative to security services like BugTraq and others offered at the SecurityFocus website without being encumbered by the OIS Security Vulnerability Reporting And Response Process. I will continue to pay the renewal fees for the names as long as someone wants to continue the the effort. After the project becomes established and is maintained by a reputable (i.e., non-commercial) group of volunteers, I am willing transfer ownership of the domains to that group at no cost. Feel free to contact me if you are interested. Let the discussion begin! " Do you feel such a thing is necessary at this time? Why or why not?
dude. (Score:3, Insightful)
erm (Score:3, Insightful)
Nice that someone is willing (Score:2, Insightful)
I'd also like to see something like this supported by major firms, maybe just by setting up a system where the community can easily communicate with firms regarding security and bug issues.
Bugtraq works just fine (Score:5, Insightful)
The bug finding, reporting, fixing, and patching process should minimize the potential damage. If your goal is to minimize damage then neither full immediate discloser or no disclosure is a good answer. Bruce Schneier has written a good article about full disclosure in his Crypto-Gram newsletter [counterpane.com].
Unless bugtraq is falling down on the job, why do we need another one?
Yet Another Try... *yawn* (Score:4, Insightful)
I applaud your initiative, but honestly, I don't see either the need or the point.
Re:dude. (Score:5, Insightful)
IMO, having a open and non-corp backed mail list to handle security buq and the like would be the natural evolution needed to insure sysadmins have the most up to date info.
Re:Bugtraq works just fine (Score:3, Insightful)
"ever" is a strong word. Remember that one of the companies giving those recommendations is Symantec. Symantec own SecurityFocus. SecurityFocus runs Bugtraq.
Too Much (Score:2, Insightful)
Knowing this I would say if you want to do something, make it a couple degrees more useful than Bugtraq. I think a more interactive forum would be nice. I see some value in being able to perform advanced searches for vulnerabilities and code samples, as well as more filtering capabilties on the mailing list to sort out vulnerabilities that are only relevant to your enviroment.
Just some thoughts, but my impression is that the person who submitted the story doesn't want to do any real work anyway so this is all probably a moot point.