fbpx
Wikipedia

Bugtraq

Bugtraq was an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them. It was a high-volume mailing list, with as many as 776 posts in a month,[1] and almost all new security vulnerabilities were discussed on the list in its early days. The forum provided a vehicle for anyone to disclose and discuss computer vulnerabilities, including security researchers and product vendors. While the service has not been officially terminated, and its archives are still publicly accessible, no new posts have been made since January 2021.

History Edit

Bugtraq was created on November 5, 1993 by Scott Chasin[2] in response to the perceived failings of the existing Internet security infrastructure of the time, particularly CERT. Bugtraq's policy was to publish vulnerabilities, regardless of vendor response, as part of the full disclosure movement of vulnerability disclosure. The list was sometimes spelled BugTraq, but common usage over the years called it Bugtraq. It grew to 2,500 subscribers by May 19, 1995[3] and over 40,000 by February, 2000.[4]

Elias Levy, known as Aleph One (alluding to the cardinal number aleph one), noted in an interview that "the environment at that time was such that vendors weren't making any patches. So the focus was on how to fix software that companies weren't fixing." Levy considered the idea of abstracting Bugtraq to be platform-specific, to reduce irrelevant information for those interested only in particular operating systems.[5][6]

Bugtraq was originally hosted at Crimelab.com, run by Scott Chasin. It was moved to the Brown University NetSpace Project—which has since been reorganized as the NetSpace Foundation—on June 5, 1995, the same day its moderation began. In July 1999 it became the property of SecurityFocus and was moved there.[7][8] SecurityFocus was acquired in full by Symantec on August 6, 2002.[9] As of February 25, 2020, traffic from the list stopped without explanation.[10] In 2002, the Full-Disclosure mailing list was created because many people feeling the list had "changed for the worse".[11]

On April 30, 2020, Accenture Security completed its acquisition of Symantec's Cybersecurity Services including SecurityFocus, which included Bugtraq.[12]

Controversy Edit

Moderation Edit

The mailing list was originally unmoderated, then received only occasional moderation that many participants considered inadequate. In one incident, what appeared to be sensitive credit-card information was allowed to be posted.[13] Subsequent posts challenged many aspects of the list, including the full disclosure of vulnerabilities, and suggested it either go unmoderated or that moderators change the way they approached it.[14]

Moderation began on June 5, 1995. Elias Levy moderated the list from June 14, 1996 until he stepped down on October 15, 2001. David Mirza Ahmad, one of the many co-authors of Hack Proofing Your Network, Second Edition, took over from Levy and continued until he stepped down on February 23, 2006.[15] David McKinney, a at Symantec, took over from Ahmad. Moderation duties have now been assumed by another DeepSight analyst, Prasanna.[16]

During his tenure, Ahmad proposed the list adopt more "community involvement" and "a more democratic process for making important decisions on the future of Bugtraq and the Security Focus website".[17] Despite receiving feedback according to Alfred Huger,[18] further community involvement did not manifest.

Delays in Moderation Edit

Delays in list moderation have occurred several times, sometimes due to technical issues[19] and DDoS attacks.[20] Other times, posts to the lists have vanished due to unspecified "mail problems".[21] In August, 1997, the list went quiet for several days as Aleph One was on vacation and the person entrusted to moderate failed to do so.[22] After the list was transitioned to SecurityFocus and Symantec acquired the company, some researchers noticed that their posts to the lists were delayed, as moderation no longer occurred on weekends. Despite the delays, vulnerability information from some of those posts were used in Symantec's DeepSight commercial offering which includes a vulnerability database.[23]

Copyrighted Advisories Edit

In late 2000, when Levy posted the full content of a Microsoft security advisory to the list, Microsoft complained it that was a copyright violation.[24]

Demise Edit

As of February 24, 2020, Symantec stopped approving posts to Bugtraq.[25] No final message from the list administrators and no statement from Symantec was posted. This came after the BID vulnerability database maintained by Symantec stopped being publicly updated on July 26, 2019, just over one month before it was acquired by Broadcom.[26] On January 1, 2021, Accenture announced that Bugtraq would be shut down.[27] On January 15, 2021, what appeared to be a final email was sent to the list confirming it was being shut down, citing "resources for the BugTraq mailing list have not been prioritized".[28] However, the decision was reconsidered based on feedback from the community; and on January 17, 2021, Accenture posted a message to the list announcing the continuation of the Bugtraq, [29] and followed up with a lengthier blog explaining their goals.[30] The continuation announcement was the last message ever published to the mailing list and no further activity is recorded in any of the public archives.

References Edit

  1. ^ "Bugtraq". Retrieved 2021-01-17.
  2. ^ "History". Retrieved 2021-01-17.
  3. ^ "From the moderator: READ Please". 1995-05-19. Retrieved 2021-01-17.
  4. ^ "Administrivia". 2000-02-14. Retrieved 2021-01-17.
  5. ^ "Administrivia". 1999-10-11. Retrieved 2021-01-17.
  6. ^ "Administrivia: Mailing List Software". 2001-03-10. Retrieved 2021-01-17.
  7. ^ "Administrivia". 1999-07-05. Retrieved 2021-01-17.
  8. ^ Masnick, Mike (2002-07-17). "Symantec Buys SecurityFocus/BugTraq". TechDirt. Retrieved 2021-01-17.
  9. ^ . 2002-08-06. Archived from the original on December 6, 2003. Retrieved 2021-01-17.
  10. ^ "Bugtraq: 40 messages starting Feb 03 20 and ending Feb 25 20". Retrieved 2021-01-17.
  11. ^ "Re: Announcing new security mailing list". July 11, 2002. Retrieved 2021-01-17.
  12. ^ "Accenture Completes Acquisition of Broadcom's Symantec Cyber Security Services Business". Accenture.com. April 30, 2020. Retrieved 2020-01-17.
  13. ^ "Time for moderation?".
  14. ^ "What is the point here?".
  15. ^ "Administrivia: New Bugtraq moderator".
  16. ^ SecurityFocus
  17. ^ "Administrivia: [Important] Community Involvement in the Future of Bugtraq".
  18. ^ "Results of the vote query".
  19. ^ "Administrivia: Recent list delays".
  20. ^ "Administrivia".
  21. ^ "Administrivia: Mail Problems".
  22. ^ "Dead Air".
  23. ^ jerichoattrition (June 16, 2017). "Your yearly reminder to post to Full-Disclosure, not Bugtraq". Archived from the original on 2018-11-01.
  24. ^ "Administrivia: No More Microsoft Bulletins".
  25. ^ "Bugtraq: by thread (Feb 2020 Archive)".
  26. ^ "Broadcom acquires Symantec's enterprise business for $10.7 billion". Retrieved 19 May 2020.
  27. ^ "BugTraq Shutdown". seclists.org. 2021-01-15. Retrieved 2021-01-17.
  28. ^ "Bugtraq: BugTraq Shutdown". seclists.org. Retrieved 2021-01-15.
  29. ^ "On Second Thought..." seclists.org. 2021-01-17. Retrieved 2021-01-17.
  30. ^ "The Future of Bugtraq | Accenture". WordPressBlog. Retrieved 2021-02-07.

External links Edit

  • SecurityFocus - Mailing Lists (Bugtraq is the first mailing list under the Most Popular heading)
  • BUGTRAQ - VULNERABLE SITES TRACKER (First Professional Vulnerable Sites Tracker)

bugtraq, electronic, mailing, list, dedicated, issues, about, computer, security, topic, issues, discussions, about, vulnerabilities, vendor, security, related, announcements, methods, exploitation, them, high, volume, mailing, list, with, many, posts, month, . Bugtraq was an electronic mailing list dedicated to issues about computer security On topic issues are new discussions about vulnerabilities vendor security related announcements methods of exploitation and how to fix them It was a high volume mailing list with as many as 776 posts in a month 1 and almost all new security vulnerabilities were discussed on the list in its early days The forum provided a vehicle for anyone to disclose and discuss computer vulnerabilities including security researchers and product vendors While the service has not been officially terminated and its archives are still publicly accessible no new posts have been made since January 2021 Contents 1 History 2 Controversy 2 1 Moderation 2 2 Delays in Moderation 2 3 Copyrighted Advisories 3 Demise 4 References 5 External linksHistory EditBugtraq was created on November 5 1993 by Scott Chasin 2 in response to the perceived failings of the existing Internet security infrastructure of the time particularly CERT Bugtraq s policy was to publish vulnerabilities regardless of vendor response as part of the full disclosure movement of vulnerability disclosure The list was sometimes spelled BugTraq but common usage over the years called it Bugtraq It grew to 2 500 subscribers by May 19 1995 3 and over 40 000 by February 2000 4 Elias Levy known as Aleph One alluding to the cardinal number aleph one noted in an interview that the environment at that time was such that vendors weren t making any patches So the focus was on how to fix software that companies weren t fixing Levy considered the idea of abstracting Bugtraq to be platform specific to reduce irrelevant information for those interested only in particular operating systems 5 6 Bugtraq was originally hosted at Crimelab com run by Scott Chasin It was moved to the Brown University NetSpace Project which has since been reorganized as the NetSpace Foundation on June 5 1995 the same day its moderation began In July 1999 it became the property of SecurityFocus and was moved there 7 8 SecurityFocus was acquired in full by Symantec on August 6 2002 9 As of February 25 2020 traffic from the list stopped without explanation 10 In 2002 the Full Disclosure mailing list was created because many people feeling the list had changed for the worse 11 On April 30 2020 Accenture Security completed its acquisition of Symantec s Cybersecurity Services including SecurityFocus which included Bugtraq 12 Controversy EditModeration Edit The mailing list was originally unmoderated then received only occasional moderation that many participants considered inadequate In one incident what appeared to be sensitive credit card information was allowed to be posted 13 Subsequent posts challenged many aspects of the list including the full disclosure of vulnerabilities and suggested it either go unmoderated or that moderators change the way they approached it 14 Moderation began on June 5 1995 Elias Levy moderated the list from June 14 1996 until he stepped down on October 15 2001 David Mirza Ahmad one of the many co authors of Hack Proofing Your Network Second Edition took over from Levy and continued until he stepped down on February 23 2006 15 David McKinney a DeepSight threat analyst at Symantec took over from Ahmad Moderation duties have now been assumed by another DeepSight analyst Prasanna 16 During his tenure Ahmad proposed the list adopt more community involvement and a more democratic process for making important decisions on the future of Bugtraq and the Security Focus website 17 Despite receiving feedback according to Alfred Huger 18 further community involvement did not manifest Delays in Moderation Edit Delays in list moderation have occurred several times sometimes due to technical issues 19 and DDoS attacks 20 Other times posts to the lists have vanished due to unspecified mail problems 21 In August 1997 the list went quiet for several days as Aleph One was on vacation and the person entrusted to moderate failed to do so 22 After the list was transitioned to SecurityFocus and Symantec acquired the company some researchers noticed that their posts to the lists were delayed as moderation no longer occurred on weekends Despite the delays vulnerability information from some of those posts were used in Symantec s DeepSight commercial offering which includes a vulnerability database 23 Copyrighted Advisories Edit In late 2000 when Levy posted the full content of a Microsoft security advisory to the list Microsoft complained it that was a copyright violation 24 Demise EditAs of February 24 2020 Symantec stopped approving posts to Bugtraq 25 No final message from the list administrators and no statement from Symantec was posted This came after the BID vulnerability database maintained by Symantec stopped being publicly updated on July 26 2019 just over one month before it was acquired by Broadcom 26 On January 1 2021 Accenture announced that Bugtraq would be shut down 27 On January 15 2021 what appeared to be a final email was sent to the list confirming it was being shut down citing resources for the BugTraq mailing list have not been prioritized 28 However the decision was reconsidered based on feedback from the community and on January 17 2021 Accenture posted a message to the list announcing the continuation of the Bugtraq 29 and followed up with a lengthier blog explaining their goals 30 The continuation announcement was the last message ever published to the mailing list and no further activity is recorded in any of the public archives References Edit Bugtraq Retrieved 2021 01 17 History Retrieved 2021 01 17 From the moderator READ Please 1995 05 19 Retrieved 2021 01 17 Administrivia 2000 02 14 Retrieved 2021 01 17 Administrivia 1999 10 11 Retrieved 2021 01 17 Administrivia Mailing List Software 2001 03 10 Retrieved 2021 01 17 Administrivia 1999 07 05 Retrieved 2021 01 17 Masnick Mike 2002 07 17 Symantec Buys SecurityFocus BugTraq TechDirt Retrieved 2021 01 17 Symantec Acquisition of SecurityFocus Completed 2002 08 06 Archived from the original on December 6 2003 Retrieved 2021 01 17 Bugtraq 40 messages starting Feb 03 20 and ending Feb 25 20 Retrieved 2021 01 17 Re Announcing new security mailing list July 11 2002 Retrieved 2021 01 17 Accenture Completes Acquisition of Broadcom s Symantec Cyber Security Services Business Accenture com April 30 2020 Retrieved 2020 01 17 Time for moderation What is the point here Administrivia New Bugtraq moderator SecurityFocus Administrivia Important Community Involvement in the Future of Bugtraq Results of the vote query Administrivia Recent list delays Administrivia Administrivia Mail Problems Dead Air jerichoattrition June 16 2017 Your yearly reminder to post to Full Disclosure not Bugtraq Archived from the original on 2018 11 01 Administrivia No More Microsoft Bulletins Bugtraq by thread Feb 2020 Archive Broadcom acquires Symantec s enterprise business for 10 7 billion Retrieved 19 May 2020 BugTraq Shutdown seclists org 2021 01 15 Retrieved 2021 01 17 Bugtraq BugTraq Shutdown seclists org Retrieved 2021 01 15 On Second Thought seclists org 2021 01 17 Retrieved 2021 01 17 The Future of Bugtraq Accenture WordPressBlog Retrieved 2021 02 07 External links EditSecurityFocus Mailing Lists Bugtraq is the first mailing list under the Most Popular heading BUGTRAQ VULNERABLE SITES TRACKER First Professional Vulnerable Sites Tracker Retrieved from https en wikipedia org w index php title Bugtraq amp oldid 1128695605, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.