Symantec przejął SecurityFocus, miejsce, w którym można było zawsze znaleźć pełne informacje dotyczące bezpieczeństwa, organizację zarządzającą listami typu BugTraq… Nie byłoby w tym nic złego, gdyby nie filozofia nowego właściciela. Koniec z pełną informacją o błędach. Najpierw będzie wysyłana informacja, że problem istnieje i warto zastosować patcha. Dopiero po trzydziestu dniach ma się pojawiać pełniejszy opis. Koniec z informacjami ułatwiającymi wykorzystanie błędu… Więcej – poniżej.

  From Thu Jul 18 12:21:27 2002  Date: Wed, 17 Jul 2002 15:27:54 -0600  From:  To:  Subject: Administrivia: Symantec acquiring SecurityFocus    Good day,    Today, SecurityFocus and Symantec announced that Symantec is acquiring  SecurityFocus. Symantec sees real value in the services SecurityFocus  provides to its customers and believes they are an excellent fit with  their current offerings. We at SecurityFocus see this as an opportunity to  provide even better services for the security community.    Symantec recognizes the value and uniqueness of the public services  SecurityFocus provides to the community, such as the numerous mailing  lists we host and the content we provide via the SecurityFocus Online web  site.    In particular, Symantec and SecurityFocus want to ease any fears as to  whether the character of this mailing list will change.    Frequently Asked Questions:    Q. What is the Symantec strategy for keeping data sources?    A. We believe it is critical to maintain the integrity of the existing     security community currently part of the SecurityFocus portal and     Bugtraq mailing list.    Q. What is Symantec's disclosure policy?    A. Symantec believes in responsible vulnerability disclosure and is active     in initiatives to set best practices in this area. Our first priority     is to help our customers protect their computing assets by providing     tools and information to safeguard their systems.       We will work with vendors, if we discover vulnerabilities in other     products, to report and investigate the issue in a thorough and timely     fashion, in the same way that Symantec will work with other security     researchers if they find an issue with any Symantec technology.       We observe a 30-day grace period after the notification of a security     advisory to give users an opportunity to apply the patch. During this     grace period, we provide our customers significant information about     the vulnerability and the fix, but not step-by-step instructions for     exploiting the vulnerability. We do not provide detailed exploit code     or provide samples of malicious code except to other trusted security     researchers and in a secured manner.    Q. Will Symantec change SecurityFocus' vulnerability reporting policy?    A. We believe that in order for the SecurityFocus/Bugtraq community to be     effective, it must be an independent entity. We believe that its     current disclosure policy is appropriate for the venue. Symantec will     continue to operate with its separate disclosure policy.      Sincerly,  Elias Levy, David Ahmad,  and the rest of the SecurityFocus staff  

Archiwalny news dodany przez użytkownika: honey.
Kliknij tutaj by zobaczyć archiwalne komentarze.

Oznaczone jako → 
Share →