[This was originally published on the OSVDB blog.]
Recently, Juha-Matti Laurio questioned if there is a trend in releasing vulnerability information via blog entry. While he is right that we are seeing it a bit more frequently, I don’t think it is any different than the dozens of “hacker” or security message forums that consistently seem to be the first point of disclosure. The other point in the post was how such disclosures may suffer from varying report formats, unofficial comments and vendors not being able to keep up with such blogs. My thoughts:
1. There is already a huge disparity in vulnerability disclosures as far as the format. Even vendor advisories can vary quite a bit, making it increasingly difficult to parse the information, receive the same type of info, etc. There have been several attempts to standardize such disclosures, and it is even something I harped on at the last CanSec conference. Trying to get such a diverse group of researchers to use a single format, or even include a base amount of information is likely a pipe dream.
2. Unofficial comments are something that would affect not only blogs, but message forums and even mail lists. There are times when someone will post to Bugtraq, but subsequent replies are cross-posted to Vuln-Dev or other lists for further discussion. Some vulnerability databases also tend to miss new information (and even new vulnerabilities) in such replies, as if anything with “re:” in the subject gets ignored.
3. Vendors can’t keep up with blog entries, there is no question about it. Hell, *we* can’t either as there are dozens of blogs and message forums where people disclose new vulnerabilities. That is a value of having one or two primary sources for such information (Bugtraq & Full-Disclosure for example). One thing folks can do to help this is if they run across such a blog/forum post, dump the contents to one of the bigger mail lists. Include not only the URL, but the text as well (many sites tend to vanish, mail list archives are all over).