Rival disclosure mailing list launched by hackers, to regain community spirit.
vnunet.com, 13 Jul 2001
A bunch of hackers at the annunal Def Con and Black Hat conference have added to the often confusing and strongly opinionated debate over vulnerability disclosure by launching their own disclosure mailing list.
Run by well-known industry figures such as Rain Forest Puppy of Wiretrip, Weld Pond of @stake and L0pht, and security analyst Steve Manzuik, Vulnwatch.org is a non-profit, independent vulnerability disclosure list.
In the eyes of the Vulnwatch team, current methods of vulnerability disclosure, through such lists as Bugtraq, have become overrun by commercialism and bureaucracy, detracting from the community spirit.
Manzuik said: "The security community is not just a cliche. It really is a community bound by common interests and goals.
"Lately the over-commercialisation of vulnerability information has begun to detract from the community spirit that has enabled so many to publish their security research for the benefit of all."
Relationships between Manzuik and Bugtraq have been strained for some time. Initially Vulntraq was to be the name of the list, but reports claim that Bugtraq's lawyers got heavy over the name similarities.
Vulnwatch sparked further controversy with its claim that vulnerabilities will be publicised immediately, before vendors have had time to assess the situation prior to public release.
Bugtraq is rumoured to notify vendors first and give them reaction time, but it staunchly denies this.
But Vulnwatch may have hobbled itself before it even starts. It will not cover the Windows OS at all: instead, the focus will be totally Unix and Linux orientated.
A statement from the organisation said: "Public vulnerability disclosure is a very important and controversial cornerstone of the computer security landscape.
"Commercial interests can and do impact the availability of critical information, since this information can affect their bottom line in positive and negative ways.
"Unbiased and responsible vulnerability disclosure is best accomplished in a non-commercial, independent forum under the open scrutiny of the public eye."
The Vulnwatch site can be found here.
Security firm unveils 'intelligent' hacking suite that automatically penetrates systems.
Hacking battle heats up as copycat crackers compete to own the most number of sites in a minute.
Future worms may be impervious to traditional virus fighting techniques.
First Looks Editor Ian Williams gets hands on with the Sony Ericsson Xperia X1
NetGear's four-bay compact network-attached storage gets a serious speed boost
Do you agree?
Have your say on this article