BugTraq

BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them.

0 Administrivia

0.1 Charter
0.1.1 What is BugTraq?
0.1.2 What is appropriate content?
0.1.3 What is inappropriate content?
0.1.4 Is the list moderated?
0.1.5 Who is the moderator?
0.1.6 What is Full Disclosure?
0.1.7 What is Security Through Obscurity?
0.1.8 What is the proper protocol to report a security vulnerability?
0.1.9 What should be included in a vulnerability report?
0.1.10 Do you verify the information on list?

0.2 History
0.2.1 When was BugTraq created?
0.2.2 When did BugTraq become moderated?

0.3 List Management
0.3.1 How do I subscribe?
0.3.2 How do I unsubscribe?
0.3.3 How do I disable mail delivery temporarily?
0.3.4 Is the list available in a digest format?
0.3.5 How do I subscribe to the digest?
0.3.6 How do I unsubscribe from the digest?
0.3.7 I seem to not be able to unsubscribe. What is going on?
0.3.8 Can you add a tag like "[BUGTRAQ]" to the subject line of each message?
0.3.9 How can I tell whether i am subscribed to the list?



0 Administrivia
0.1 Charter
0.1.1 What is BugTraq?

BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them.

0.1.2 What is appropriate content?

Please follow the below guidelines on what kind of information should be posted to the Bugtraq list:

0.1.3 What is inappropriate content?

0.1.4 Is the list moderated?

Yes.

0.1.5 Who is the moderator?

David Mckinney <dm@securityfocus.com>.

0.1.6 What is Full Disclosure?

Full Disclosure is a security philosophy that believes:

  1. A truly secure system must be able to withstand open review at all levels (e.g. protocol, source code, etc).
  2. The details of security vulnerabilities should be available to everyone.
Benefits include:
  1. A large number of individuals get to review the system for security weaknesses.
  2. Vendors are pressured into providing security fixes quickly.
  3. Programmers and system designers can learn from others mistakes.
  4. Users can identify similar vulnerabilities on systems other than the original.
Cons include:
  1. At the same time you inform constructive people of security vulnerabilities, you also inform destructive people.

0.1.7 What is Security Through Obscurity?

Security Through Obscurity is a security philosophy that believes:

  1. Thats if the details of a system are not made publicly available the system will be more secure.
  2. Vulnerability details should be restricted to vendors and a few security experts.

0.1.8 What is the proper protocol to report a security vulnerability?

A sensible protocol to follow while reporting a security vulnerability is as follows:

  1. Contact the product's vendor or maintainer and give them a one week period to respond. If they don't respond post to the list.
  2. If you do hear from the vendor give them what you consider appropriate time to fix the vulnerability. This will depend on the vulnerability and the product. It's up to you to make and estimate. If they don't respond in time post to the list.
  3. If they contact you asking for more time consider extending the deadline in good faith. If they continually fail to meet the deadline post to the list.
When is it advisable to post to the list without contacting the vendor?
  1. When the product is no longer actively supported.
  2. When you believe the vulnerability to be actively exploited and not informing the community as soon as possible would cause more harm then good.
All this being said, we rather have people report vulnerabilities to the list and not inform the vendors, whatever their reasons may be, than to have them keep the information to themselves.

0.1.9 What should be included in a vulnerability report?

  • A list of vulnerable applications/operating systems/device/etc with version numbers and patch levels.
  • A list of non-vulnerable applications/operating systems/devices/etc with version numbers and patch levels.
  • A detailed discussion of the vulnerability and the environment in which it was found.
  • A detailed discussion on how to reproduce the vulnerability, possibly including exploit programs.
  • A detailed discussion of solutions, fixes or possible work-arounds.
  • References to information related to the vulnerability.
  • Appropriate credit if the vulnerability was found by someone else.

0.1.10 Do you verify the information on the list?

No, we do not. The BUGTRAQ moderation process is not meant to verify and validate any information, patches, exploits or programs send out via the list. It is in place to keep the discussion in the list on topic.

You should not assume that any of the information in the list is correct, or that any of the patches, exploits and programs do not contain backdoors or trojans without verifying this yourself. If you can't verify it yourself we recommend that you wait until other subscribers verify the validity of the information and post their result to the list.

It is quite likely that there will be times when live exploits will be sent to the list. Some may even may affect your mail reading program. You should assume this will be the case and prepare for such situation.

Caveat Emptor

0.2 History
0.2.1 When was BugTraq created?

BugTraq was created on Friday the 5th of November, 1993 by Scott Chasin. Aleph One took over BugTraq on Tuesday the 14th of May, 1996. Over the years BugTraq has grown into a well respected security mailing list with over twenty seven thousand subscribers.

0.2.2 When did BugTraq become moderated?

BugTraq became moderated on the 5th of June, 1995. At the same time BugTraq was moved to netspace.org. The list became moderated after the noise level became unacceptable.

0.3 List Management
0.3.1 How do I subscribe?

Send an e-mail message to bugtraq-subscribe@securityfocus.com. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer.

0.3.2 How do I unsubscribe?

Send an e-mail message to bugtraq-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

0.3.3 How do I disable mail delivery temporarily?

Unsubscribe from the list and resubscribe to start receiving mailing list traffic again.

0.3.4 Is the list available in a digest format?

Yes.

0.3.5 How do I subscribe to the digest?

Send an e-mail message to bugtraq-digest-subscribe@securityfocus.com. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer.

0.3.6 How do I unsubscribe from the digest?

Send an e-mail message to bugtraq-digest-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer.

0.3.7 I seem to not be able to unsubscribe. What is going on?

You are probably subscribed from a different address than that from which you are sending commands to the list from. Either send email from the appropriate address or email listadmin@securityfocus.com to be unsubscribed manually.

0.3.8 Can you add a tag like "[BUGTRAQ]" to the subject line of each message?

Not at this time.

0.3.9 How can I tell whether I am subscribed to the list?

Send an e-mail message to bugtraq-query@securityfocus.com. If you want to test whether you are subscribed to the digest send an e-mail message to bugtraq-digest-query@securityfocus.com.


Privacy Statement
Copyright 2006, SecurityFocus