On Fri, 2 Feb 2001, Joe Rhett wrote:
Without rehashing the whole "open-disclosure" vs. "non-disclosure" arguments related to security issues in software, or the historically extreme inadequacies of CERT in offering timely notification of ANY security-related issues, it's very disappointing to see ISC resort to a fee-based, non-public-disclosure-at-the-time-of-discovery, NDA'd and "we'll update people via CERT" method of dealing with the community they have served for so long.
I would have hoped by now that lists such as Bugtraq would have adequately exhibited the folly of such methodologies.
The purpose of the list doesn't appear to circumvent Bugtraq -- you're comparing two different issues.
I suggest you re-read the pre-announcement, and also factor in other statements made by Paul that the community will now be notified via CERT when security problems occur. CERT has historically been worthless in this regard(IMO). By the time they release warnings, the problems have been well known among the security and dark-hat communities for weeks, months or in extreme cases years. In all fairness I believe this has been due to the vendors being unwilling to release the information, rather than due to any fault of CERT staff. In any case the result is the same: information is late in coming to anyone that relies on CERT for that information, exposing those individuals/organizations to a greater level of vunerability and risk than they would otherwise face. It's foolish to rely on CERT notifications as the most timely information one could acquire. Finally, I'm not sure what you'd call NDAs that would prevent disclosure of security problems, but I'd say that's about as opposite of Bugtraq as you can get. P.S. AboveNet is taking the latest BIND vunerability(ies) seriously enough that they are beginning wholescale scans of their address space. Draw your own conclusions related to masking version numbers.