VULN-DEV

There are many forums for reporting security bugs and distributing vulnerability code or examples. A prime example of such a forum is the BUGTRAQ mailing-list. However, nearly all of these forums exist mostly for the dissemination of fully-researched reports, and they leave little room for discussion. In addition, many bugs are spotted not written-up, due to lack of interest, time, or expertise.

The VULN-DEV list exists to allow people to report potential or undeveloped holes. The idea is to help people who lack expertise, time, or information about how to research a hole do so.

The VULN-DEV list is dedicated to the concept of full disclosure. We believe that release of exploit code serves the security community overall. Since the list is dedicated to interactively researching vulnerabilities, there will there will generally NOT be an opportunity to warn software vendors or authors. In many cases it will not be clear that there is a problem until the exploit or description is finalized, at which point all list subscribers will know. It is very appropriate to notify vendors or authors as soon as it is clear there is a problem.

The subject of whether or not full disclosure is a good idea is not open for discussion on this list.

The VULN-DEV mailing list is a lightly moderated mailing list to facilitate the open exchange of security holes and related information. Moderation is in place to control spam, flames, off-topic discussion, and to kill tired threads.

0 Administrivia

0.1 Charter
0.1.1 What is VULN-DEV?
0.1.2 What is appropriate content?
0.1.3 What is inappropriate content?
0.1.4 Is the list moderated?
0.1.5 Who are the moderators?

0.2 List Management
0.2.1 How do I subscribe?
0.2.2 How do I unsubscribe?
0.2.3 How do I disable mail delivery temporarily?
0.2.4 Is the list available in a digest format?
0.2.5 How do I subscribe to the digest?
0.2.6 How do I unsubscribe from the digest?
0.2.7 I seem to not be able to unsubscribe. What is going on?
0.2.8 Can you add a tag like "[VULN-DEV]" to the subject line of each message?



0 Administrivia
0.1 Charter
0.1.1 What is VULN-DEV?

There are many forums for reporting security bugs and distributing vulnerability code or examples. A prime example of such a forum is the BUGTRAQ mailing-list. However, nearly all of these forums exist mostly for the dissemination of fully-researched reports, and they leave little room for discussion. In addition, many bugs are spotted not written-up, due to lack of interest, time, or expertise.

The VULN-DEV list exists to allow people to report potential or undeveloped holes. The idea is to help people who lack expertise, time, or information about how to research a hole do so.

The VULN-DEV list is dedicated to the concept of full disclosure. We believe that release of exploit code serves the security community overall. Since the list is dedicated to interactively researching vulnerabilities, there will there will generally NOT be an opportunity to warn software vendors or authors. In many cases it will not be clear that there is a problem until the exploit or description is finalized, at which point all list subscribers will know. It is very appropriate to notify vendors or authors as soon as it is clear there is a problem.

The subject of whether or not full disclosure is a good idea is not open for discussion on this list.

The VULN-DEV mailing list is a lightly moderated mailing list to facilitate the open exchange of security holes and related information. Moderation is in place to control spam, flames, off-topic discussion, and to kill tired threads.

0.1.2 What is appropriate content?

Please follow the below guidelines on what kind of information should be posted to the VULN-DEV list:

Basically, we want to facilitate people being able to verify and take advantage of holes. The word "hole" is used deliberately, and it refers to a bug that has a potential security impact. You may very well find a buffer overflow in a program, but if it's never used in a security context (SETUID, part of a CGI script, etc..) then it's probably not appropriate for the list. If you're not sure if it applies or not, go ahead and post it. If it's not security related, then either the moderator will stop it or the list members will point it out.

The DEV in VULN-DEV should give some indication to the spirit of the list. This is a developers list. We research vulnerabilities and develop exploits. In some cases that will mean code, in others a description, or something to do "by hand". You don't need to be a developer to join the list. Lurkers are encouraged to subscribe. The list exists not just to produce exploits, but also to instruct those who wish to learn. If you aren't an exploit developer, but you'd like to be, we'll do our best to teach you. To that end, we hope people will be as descriptive as possible in their posts, and be willing to answer some questions.

0.1.3 What is inappropriate content?

0.1.4 Is the list moderated?

Yes.

0.1.5 Who are the moderators?

Aaron Adams aadams@securityfocus.com and David Mckinney dm@securityfocus.com.

0.2 List Management
0.2.1 How do I subscribe?

Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body of:

SUBSCRIBE VULN-DEV Lastname, Firstname

You will receive a confirmation request message to which you will have to answer.

0.2.2 How do I unsubscribe?

Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed address with a message body of:

UNSUBSCRIBE VULN-DEV

If your email address has changed email listadmin@securityfocus.com and I will manually remove you.

0.2.3 How do I disable mail delivery temporarily?

If you will are simply going in vacation you can turn off mail delivery without unsubscribing by sending LISTSERV the command:

SET VULN-DEV NOMAIL

To turn back on e-mail delivery use the command:

SET VULN-DEV MAIL

0.2.4 Is the list available in a digest format?

Yes. The digest generated once a day.

0.2.5 How do I subscribe to the digest?

To subscribe to the digest join the list normally (see section 0.2.1) and then send a message to LISTSERV@SECURITYFOCUS.COM with with a message body of:

SET VULN-DEV DIGEST

0.2.6 How do I unsubscribe from the digest?

To turn the digest off send a message to LISTSERV with a message body of:

SET VULN-DEV NODIGEST

If you want to unsubscribe from the list completely follow the instructions of section 0.2.2 next.

0.2.7 I seem to not be able to unsubscribe. What is going on?

You are probably subscribed from a different address than that from which you are sending commands to LISTSERV from. Either send email from the appropriate address or email the moderator to be unsubscribed manually.

0.2.8 Can you add a tag like "[VULN-DEV]" to the subject line of each message?

You can set your LISTSERV options to do this for your subscription. To do so email LISTSERV@SECURITYFOCUS.COM with a message body of:

SET VULN-DEV SUBJ


Privacy Statement
Copyright 2006, SecurityFocus