[16581] in bugtraq
Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634
daemon@ATHENA.MIT.EDU (Peter Barker)
Tue Sep 5 13:47:52 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10009051827550.19539-100000@moriarty.fith.priv>
Date: Tue, 5 Sep 2000 18:41:34 +1100
Reply-To: Peter Barker <pbarker@BARKER.DROPBEAR.ID.AU>
From: Peter Barker <pbarker@BARKER.DROPBEAR.ID.AU>
X-To: Warner Losh <imp@VILLAGE.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200009050356.VAA40419@harmony.village.org>
On Mon, 4 Sep 2000, Warner Losh wrote:
> I know that various groups in the past have tried to strike a balance
> between vendor coordination and forcing a release to spur the vendors
...
> What's really needed is a vulnerability stamping service :-). In the
I've thought that a bugtraq "delayed-action" script could do this.
Mail to, for example, "bugraq-14days@securityfocus.com" would be
acknowledged by the server as being in the queue to be posted to
"bugtraq@securityfocus.com" after (guess!) 14 days. A warning at 1 day may
also be sent to the advisory author.
Upon posting, original receipt date of the post should be obvious.
A "key" could be issued which, if used, should indicate to the list server
that the advisory should be broken out of the queue and posted to the
list.
This should do three things:
- establish (for those need the ego-boost) who got in first with a
compromise
- give the vendor time to respond
- if cc'd to the appropriate contact for the compromised software, gives
them a date to work to - and a sword over their heads.
> Warner
Yours,
--
Peter Barker | N _--_|\ /---- Barham, Vic
Programmer,Sysadmin,Geek | W + E / /\
pbarker-btq@barker.dropbear.id.au | S _,--?_*<-- Canberra
You need a bigger hammer. | v [35S, 149E]
"Note: Silencing the alarm does not solve the problem that caused it."
-- Sola (UPS) Users Guide
