The purpose of the list doesn't appear to circumvent Bugtraq -- you're comparing two different issues.
I suggest you re-read the pre-announcement, and also factor in other statements made by Paul that the community will now be notified via CERT when security problems occur. CERT has historically been worthless in this regard(IMO). By the time they release warnings, the problems have been well known among the security and dark-hat communities for weeks, months or in extreme cases years. In all fairness I believe this has been due to the vendors being unwilling to release the information, rather than due to any fault of CERT staff.
I'm no fan of CERT. Neither is Paul to my memory, but he can hardly advocate Bugtraq to some of the communities in which he must play ball.
In any case the result is the same: information is late in coming to anyone that relies on CERT for that information, exposing those individuals/organizations to a greater level of vunerability and risk than they would otherwise face. It's foolish to rely on CERT notifications as the most timely information one could acquire.
What exactly does Paul's list have to do with this? You're still confusing a software update channel with a response center. He's not creating a response center, and neither would I in his circumstances. He's creating something that doesn't exist at this point, not taking anything away from anyone. All of us knew about severe bugs in BIND months, sometimes years before CERT reported an exploit. Paul's list may get the right information into the right hands sooner. Your complaint seems to boil down to the fact that he's not building an organization to replace CERT. As another small business owner, I can guess that he's got enough on his hands. If you feel this burning need for this, do it yourself! Stop confusing a support channel with a response center.
Finally, I'm not sure what you'd call NDAs that would prevent disclosure of security problems, but I'd say that's about as opposite of Bugtraq as you can get.
echo "Stop confusing a support channel with a response center." If I was paying a software vendor for support, and they released information to the public before they gave me a chance to upgrade my vulnerable systems, I would hand them a lawsuit with a number you'd have trouble imagining. Thus, my software vendors better damn well have a closed-circuit channel to get me information on vulnerabilities with enough time to upgrade my software. HP, Sun, IBM and everyone else has contracts with the government and private institutions that require immediate access to this information. If Paul were to simply report a vulnerability to the world with giving these vendors a chance to produce patches for their customers, they would be forced to find another vendor for BIND. You're applying an old rant about open access to vulnerability information in the wrong place. Vulnerabilities _do_ need to be published, but not _before_ software vendors have a reasonable chance to update their software and produce patches! Note: I'm not replying to anything else on this topic. People clearly aren't thinking properly about this, and I'm not going to waste my time arguing with illformed, biased 'religion' that has no place in the real world. -- Joe Rhett Chief Technology Officer JRhett@ISite.Net ISite Services, Inc. PGP keys and contact information: http://www.noc.isite.net/Staff/