Tag: SecurityFocus

  • Saving Bugtraq

    In July of 2019, many noticed that the Bugtraq mail list stopped having posts approved, including Art Manion at CERT. Since there are many other outlets for vulnerability disclosure, such as the Full-Disclosure mail list, Packetstorm, Exploit Database, and increasingly on GitHub, it didn’t receive much attention. It wasn’t like the days when the list…

  • Your yearly reminder to post to Full-Disclosure, not Bugtraq

    [This was originally published on the OSVDB blog.] [10/29/2020 Update: As of February 24, SecurityFocus has stopped moderating posts to the Bugtraq mail list without explanation or warning. This is apparently related to Broadcom acquiring Symantec, the owner of SecurityFocus.] This has been a long-recognized and proven thing, but every year we run into more…

  • VDB Relationships (Hugs and Bugs!)

    [This was originally published on the OSVDB blog.] Like any circle in any industry, having good professional relationships can be valuable to involved parties. In the world of security, more specifically Vulnerability Databases (VDBs), the relationships we maintain benefit the community behind the scenes. Like ogres and onions, there are layers. Someone from CVE and…

  • The Upside to the Provenance Problem

    [This was originally published on the OSVDB blog.] As mentioned before, Christey of CVE mentions an ongoing problem in the vulnerability world is that of “provenance”, meaning “where the hell did that come from?!” Vulnerability Databases (VDB’s) like CVE and OSVDB are big on provenance. We want to know exactly where the information came from…

  • Security Advisories, Mail Lists, and You

    [This was originally published on the OSVDB blog.] When a security researcher finds a vulnerability, they may choose to release the details in a formal advisory. The different between a random post to a mail list and an advisory typically involves the level of detail and the amount of peripheral information to the vulnerability. This…

  • Mail List Archives 101 (or Why SF Hates VDBs)

    [This was originally published to the OSVDB blog.] Running a mail list archive is a straight forward task. Collect, organize and make mail list posts available via the web. You can see such archives at seclists.org or the Neohapsis arhive. Most folks that use archives like this have their favorites for various reasons. Speed, the…

  • SecurityFocus Defaced? Kind of.

    [This was originally published on attrition.org. Jay Dyson and Simple Nomad contributed to this post.] Earlier today, various people/sites were reporting that SecurityFocus.com had been defaced. Initial inspection of the screenshots suggested this was the case, but further digging revealed what really happened. First, one must define a ‘defacement’. In the years of running the…

  • The Last Line of Defense, Broken

    [This was originally published on SecurityFocus and mirrored on attrition.org.] The Last Line of Defense, BrokenThe Public Perception of Security Companies Getting Compromised Every so often, the protectors of your most important digital resources get hit with a little mud in the face. The so-called last line of defense is broken, and the security company…

  • How to Get A Real Security Budget

    [This was originally published on SecurityFocus and mirrored on attrition.org.] There you are, a highly paid professional administrator for a large Information Technology (IT) shop. Responsible for dozens, sometimes hundreds or thousands of machines that process company business;business in the form of vital correspondence between Research and Development, financial transactions for your countless customers. Perhaps…