-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Zow Terry Brugger wrote: >> ideal world. Many of the advisories I look at almost always cover the >> same type of vulnerability. Shouldn't we have learned by now, if we >> consider your argument? > > It's been a while, but one of the great things I've seen Bugtraq used for is > to look at the distribution of vulnerabilities. In the past few years, my > perception is that there's been a decline in the number of buffer overflow > attacks and most of what we see today are web attacks like cross-site > scripting and remote file injection. Seeing these trends is important because > it tells us as a community where we need to focus our efforts. > >> However, perhaps one/I just need to shift the way I look at advisories. >> Rather than seeing them as "late" and "out-of-date", they could be an >> additional source of information about a particular system. I'll accept >> that. > > That too. Let me tell you, if I ever need to set up a web forum for > something, I'm going to look at Bugtraq to see what the track record is for > the systems I'm considering. > >> are almost at the verge of being completely void. A remedy for that >> would be to have the security community agree on a common "advisory >> protocol" that defines a guideline for contents in an advisory. Anyways, > > Great idea! Much like the RFP vendor notification policy (Which I haven't > seen mentioned in a while, so I encourage everyone doing vulnerability > research to see http://www.wiretrip.net/rfp/policy.html). Anyone care to > propose a template (presumably if someone who the community respects does so, > it's more likely to catch on)? Yes, ideally if someone with a bit of community credibility could step up and propose a standard that certainly would kick start it a little bit. Another great benefit of such a template would be consistency in layout and contents. Also to improve the educational value of an advisory it would be neat if an appropriate code-segment of the vulnerability could be included. Now people will argue the whole intellectual property aspect but I seriously doubt that 3-5 lines of code are going to affect anything. Let's do something about this! > > Terry > > import standard.disclaimer; > - -- Chris Stromblad (CEH) Head of Security Services Outpost24 UK 90 Long Acre Covent Garden London, WC2 E9RZ - ------------------------- Tel: +44 (0) 207 849 3097 Dir: +44 (0) 208 099 6595 Fax: +44 (0) 207 849 3140 - ------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGoHDI+CG0a/ZJxn8RAhHEAJ437PJf7shw7gmnivqncIXEF4dZbQCgpaTK 3zxJsLOTxwb+TffwDQYsO6U= =7uds -----END PGP SIGNATURE-----
