VulnWatch | OSVDB |
VulnWatch
 Friday May 09, 2008  
      subscribe | archives | faq | disclosure information | links

 

What is VulnWatch?

VulnWatch is a computer security vulnerability disclosure mailing list. It is an announcement list, not a discussion list.

The contents of the list are submitted by security researchers or product vendors to alert the Internet community of security issues that may effect them.

VulnWatch is not PatchWatch. It focuses on the vulnerabilities and not the patches. You should be getting patch information directly from your vendors. We will approve vendor bulletins that announce a vulnerability or provide additional technical information.

What is VulnDiscuss?

VulnDiscuss is a vulnerability discussion list that compliments the existing VulnWatch accouncement list. VulnDiscuss is meant to foster the discussion of security issues and vulnerabilities by providing a forum for recent security announcements to be discussed. VulnDiscuss will be under moderator control to keep it topical, and access is open to anyone who wishes to participate or observe.

VulnWatch is completely non-commercial and chartered to stay that way. It is supported by volunteers and donors.


VulnWatch Raison d'etre

VulnWatch was created because the involved individuals felt the need for a forum which didn't currently exist: a non-discussion, non-patch, all-vulnerability annoucement list supported and run by a community of volunteer moderators distributed around the world.

News

08-01-02 02:17 GMT
VulnDiscuss is launched.

By popular demand we have created a new mailing list for the discussion of vulnerabilies. While the moderators of VulnWatch have kept dicussion to an absolute minimum on VulnWatch, this new list encourages it. This list compliments the announcement nature of VulnWatch with a place to share experiences working with new vulnerabilities. The list is moderated and will be kept strictly technical. Subscription info.

08-01-02 02:17 GMT
David Litchfield - New VulnWatch moderator

David Litchfield of Next Generation Security Software is our newest volunteer moderator for the VulnWatch mailing list. David should be a familiar name to those who follow new vulnerabilities.

12-23-01 22:17 GMT
VulnWatch - We now do Windows.

Effective immediately, we will now begin to cover Microsoft security issues on VulnWatch. This does not mean that you will start to see MS Security Bulletins but you will start to see legitimate advisories on serious issues that effect users of Microsoft operating systems.

While I am on the topic of legitimate issues, I want to clarify the VulnWatch policy for approving posts.

The purpose of VulnWatch was to create a non-commercial mailing list that people can rely on to get the information they need in an efficient manner. We do not want to flood the list of subscribers with 30+ messages a day on some obscure package or some obscure unexploitable vulnerability. If, someone sends a post that is a true vulnerability on a package that is actually used it will hit the list.

Also, we are trying hard not to become PatchWatch -- that is, we do not want to flood you with the various vendor patch announcements. You should only see a patch announcement if it is attached to a new and unannounced vulnerability.

There are three of us, Chris Wysopal, Rain.Forest.Puppy, and myself, we will try our best but we won't be right 100% of the time so if you think we have not approved your post and should have, feel free to email us.

We have also had a recent upsurge in fake advisories, Trojan exploit code, and irresponsible disclosures. The moderators of the list do their best to validate each post, but, our goal is to get the information out to the public as quickly as possible so in a lot of cases we might miss something, if in doubt, we would rather approve a message than not approve a message. For those of you who seem to get joy from sending fake advisories, you know who you are, do this a few times and obviously we will begin to automatically send your messages to /dev/null/ without even looking at them.

Download and use exploit code at your own risk. Running code from an untrusted source must be done very carefully. This goes for exploit code too.

Now, a word about irresponsible disclosure;

It is not the moderator's job, nor is it practical that we ensure that the researcher has been responsible with his finding. While I personally, as do the other moderators of the list, encourage responsible vulnerability disclosure, I cannot force and will not attempt to force my will on others. You can find suggested disclosure policies at www.vulnwatch.org/disclosure.html#papers

Sorry for the extra message traffic, I hope everyone has a happy holiday and actually gets to take some time off over the next couple of weeks.

Regards,

Steve Manzuik
Moderator - VulnWatch
steve@vulnwatch.org

12-01-01 16:52 GMT
VulnWatch moderator, Steve Manzuik is quoted in an article concerning vulnerability disclosure, "It's not the researchers that are to blame for the massive amount of incidents relating to MS products," Information Anarchy?, Information Security Magazine.

9-21-01 14:32 GMT
Cross site scripting problems live on at major sites 18 months later. Researchers used VulnWatch to disclose these problems. AOL, Yahoo, ICQ Sites Battle Security Holes, Newsbytes.

8-03-01 20:00 GMT
Several interesting new papers on vulnerability disclosure have been added to the site.

7-17-01 07:00 GMT
VulnWatch is mentioned in Declan McCullagh's Wired story on the newly independant Packetstorm, Hackers Secure a Downgraded Storm.

7-12-01 01:05 GMT
VulnWatch was announced at Black Hat with Steve Manzuik giving a 5 minute description of the project at the end of RFP's talk. We have issued this press release.

Browse around, sign up for the list, and don't forget to come back in a few days when the archive feature should be working.

Copyright © 2001 VulnWatch.org
All rights reserved.
 Colocation services generously provided by:  GlobalNAPS
Last updated 07/31/02
Google
 
Web VulnWatch.Org