[14292] in bugtraq
Administrivia
daemon@ATHENA.MIT.EDU (Elias Levy)
Wed Mar 15 01:38:50 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000314141313.Q21923@securityfocus.com>
Date: Tue, 14 Mar 2000 14:13:13 -0800
Reply-To: aleph1@SECURITYFOCUS.COM
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
One question I've always wrestled with is whether to approve messages that
affect services (such as specific web sites), instead of applications.
During the last couple of weeks I've seen an increase in the number of
such messages submitted to the list.
Normally I do not like to approve such messages. I feel the issue is
better dealt with by contacting the service provider or by bringing
the issue up in a forum that targets users of the service. My rule of
thumb is to only approve messages about service vulnerabilities if
the population of affected users is large enough.
What is "large enough" is difficult to determine. I think most people
would agree users of a service like Hotmail is large enough (they claim
several million users). Other things are somewhat more difficult.
For example, is deja.com large enough? What do others think?
Please send me private email. Do not reply to the list.
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
