Bugtraq

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Bugtraq is an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them. It is a high-volume mailing list, with as many as 776 posts in a month[1], and almost all new vulnerabilities were discussed on the list in its early days. The forum provides a vehicle for anyone to disclose and discuss computer vulnerabilities, including security researchers and product vendors. In December, 1998, a FAQ for the list was first proposed but ultimately never posted[2].

History[edit]

Bugtraq was created on November 5, 1993, by Scott Chasin[3] in response to the perceived failings of the existing Internet security infrastructure of the time, particularly CERT. Bugtraq's policy was to publish vulnerabilities, regardless of vendor response, as part of the full disclosure movement of vulnerability disclosure. The list grew to 2,500 subscribers by May 19, 1995[4] and over 40,000 subscribers by February, 2000[5].

Elias Levy, also known as Aleph One (alluding to the cardinal number aleph one), noted in an interview that "the environment at that time was such that vendors weren't making any patches. So the focus was on how to fix software that companies weren't fixing." Levy considered the idea of abstracting Bugtraq to be platform specific in order to reduce noise for those interested in e.g. Unix over Windows[6][7].

Bugtraq was originally hosted at Crimelab.com, run by Scott Chasin. It was moved to the Brown University NetSpace Project — which has since been reorganized as the NetSpace Foundation — on June 5, 1995, the same day that its moderation began. In July 1999 it became the property of SecurityFocus and was moved there[8][9]. SecurityFocus was acquired in full by Symantec on August 6, 2002.[10] As of February 25, 2020, traffic from the list stopped without explanation[11]. In 2002, the Full-Disclosure mailing list was created due to many people feeling the list had "changed for the worse"[12].

Controversy[edit]

Moderation[edit]

The mailing list was unmoderated originally, but the signal-to-noise ratio eventually became unacceptably bad. One early question if moderation was warranted came after what appeared to be sensitive information in the form of credit cards[13]. A subsequent call challenged many aspects of the list including the full disclosure of vulnerabilities and suggested that the list either go unmoderated or that moderators change the way they approached the list[14].

Moderation began on June 5, 1995. Elias Levy moderated the list from June 14, 1996 until he stepped down on October 15, 2001. David Mirza Ahmad, one of the many co-authors of Hack Proofing Your Network, Second Edition, took over from Levy and continued until he stepped down on February 23, 2006[15]. David McKinney, a DeepSight threat analyst at Symantec, took over from Ahmad although moderation has now been passed over to another DeepSight analyst, Prasanna.[16]

During his tenure as moderator, Ahmad proposed the list adopt more "community involvement" and "a more democratic process for making important decisions on the future of Bugtraq and the Security Focus website" [17]. Despite receiving feedback according to Alfred Huger[18], further community involvement did not manifest.

Delays in Moderation[edit]

Delays in list moderation have occurred several times during the history of the list, sometimes due to technical issues[19] and a DDoS attack[20]. Other times, posts to the lists would vanish due to "mail problems"[21]. In August, 1997, the list went quiet for several days as Aleph One was on vacation and the person entrusted to moderate failed to do so[22]. After the list was transitioned to SecurityFocus and Symantec acquired the company, some researchers noticed that their posts to the lists were delayed. Moderation was known not to occur on weekends which explained the delay. Despite the list moderation delay, vulnerability information from some of those posts were used in Symantec's DeepSight commercial offering which includes a vulnerability database[23].

Copyrighted Advisories[edit]

In late 2000, after Levy posted the full content of a Microsoft security advisory to the list, Microsoft complained it was a copyright violation[24].

Demise[edit]

As of February 24, 2020, Symantec stopped approving posts to the Bugtraq mail list[25]. No final message from the list administrators and no statement from Symantec was posted. This comes after the BID vulnerability database maintained by Symantec stopped being publicly updated on July 26, 2019, just over one month before being acquired by Broadcom[26].

References[edit]

  1. ^ https://seclists.org/bugtraq/. Missing or empty |title= (help)
  2. ^ "Administrivia: FAQ".
  3. ^ https://www.securityfocus.com/archive/1/description#0.2.1. Missing or empty |title= (help)
  4. ^ "From the moderator: READ Please".
  5. ^ "Administrivia".
  6. ^ "Administrivia".
  7. ^ "Administrivia: Mailing List Software".
  8. ^ "Administrivia".
  9. ^ "Symantec Buys SecurityFocus/BugTraq". Retrieved 19 May 2020.
  10. ^ Symantec Acquisition of SecurityFocus Completed Archived December 6, 2003, at the Wayback Machine
  11. ^ https://seclists.org/bugtraq/2020/Feb/index.html. Missing or empty |title= (help)
  12. ^ https://seclists.org/fulldisclosure/2002/Jul/7. Missing or empty |title= (help)
  13. ^ "Time for moderation?".
  14. ^ "What is the point here?".
  15. ^ "Administrivia: New Bugtraq moderator".
  16. ^ SecurityFocus
  17. ^ "Administrivia: [Important] Community Involvement in the Future of Bugtraq".
  18. ^ "Results of the vote query".
  19. ^ "Administrivia: Recent list delays".
  20. ^ "Administrivia".
  21. ^ "Administrivia: Mail Problems".
  22. ^ "Dead Air".
  23. ^ https://blog.osvdb.org/2017/06/16/your-yearly-reminder-to-post-to-full-disclosure-not-bugtraq/. Missing or empty |title= (help)
  24. ^ "Administrivia: No More Microsoft Bulletins".
  25. ^ "Bugtraq: by thread (Feb 2020 Archive)".
  26. ^ "Broadcom acquires Symantec's enterprise business for $10.7 billion". Retrieved 19 May 2020.

External links[edit]