Symantec Buys SecurityFocus/BugTraq
from the who-can-you-trust? dept
Symantec today announced they have purchased SecurityFocus, along with its BugTraq mailing list for $75 million. BugTraq, of course, is the main list to find out about where major security holes are. There are now a ton of people wondering just how quickly Symantec will screw up SecurityFocus. While the folks at SecurityFocus insist that Symantec has assured them they’ll be able to continue without changing anything, many aren’t so sure. Symantec has a history of overhyping virus warnings, and if they see BugTraq as a way to do the same thing for security holes, that could be a problem. At the same time, Symantec, as a big corporation may have incentive to hold back certain security hole info to protect their corporate relationships. Of course, what will probably happen is that a new independent source for security holes will soon pop up, and BugTraq will lose a lot of its value.
Comments on “Symantec Buys SecurityFocus/BugTraq”
Bugtraq more screwed up than it already is?
Bugtraq hasn’t been the same for a very long time…ever since Aleph1 turned over the mailing list to the corporate weenies.
Used to be that anyone with a bug didn’t have to worry about whether or not they were “recognizable” enough to post. “Full disclosure” was a status quo, and Aleph1 pushed anything on the list worth posting onto the list. I remember asking him a few times whether something was worth posting, to which he would say that if it was a bug it was worth posting.
Now it seems more and more of the bug reports which should be posted are being “lost”. I’ve had a number of my bug reports (which were accepted elsewhere (i.e. Mitre CVE),) rejected or timed out. Seems like now-a-days, the only folks to be able to post are those from recognizable “hacker” groups or those companies which are in bed with SecurityFocus. Gweed was definately right, bugtraq has become nothing more than a place to show off your security company…Free PR for ISS and companies like that, who can post irresponsible bug reports for the sole purpose of sales, or Gobbles for the sole purpose of histerical and unfactual political rants.
I’ve found that the other vulnerability mailing lists tend to be much more responsive, less political or sales oriented.