Symantec Defends BugTraq Policies

Last week, a Danish security company accused Symtantec of deliberately delaying and partially censoring information.

Symantec Corp. officials are defending their practices for handling postings to the BugTraq mailing list in the face of criticism from an upstart competitor. The way the list is run and when messages are posted hasnt changed at all since Symantec acquired BugTraqs owner, SecurityFocus, last summer, executives say.

"What I can tell you is that we never delay posting any message to BugTraq. And everyone gets access to the messages at the same time," said Art Wong, vice president of security response at Symantec, based in Cupertino, Calif., and the former CEO of SecurityFocus.

Wongs comments contradict charges made by executives at Secunia Ltd., a Danish security company that has started a new mailing list meant to replace BugTraq. The list will aggregate vulnerability advisories from several sources. Officials at the company said last week that theyre starting the list because of what they perceive as changes in BugTraq in recent months.

"The problem with SecurityFocus is not that they moderate the lists, but the fact that they deliberately delay and partially censor the information," said Thomas Kristensen, CTO of Secunia, based in Copenhagen, Denmark. "Since they were acquired by Symantec they changed their policy regarding BugTraq. Before they used to post everything to everybody at the same time. Now they protect the interests of Symantec, delay information and inform their customers in advance."

Wong says there is no truth to these accusations.

"The early warnings that our DeepSight customers get come from places like BugTraq and events and incidents that we monitor," Wong said. "We dont give those alerts [from BugTraq] to our customers any sooner than anyone else gets them."

The DeepSight Threat Management System, SecurityFocus flagship product, is an early-warning system that pulls data from IDS and firewalls to alert administrators to emerging problems.

Wong stressed that the people who run the BugTraq list operate independently of the Symantec corporate structure and handle every message the same way.

"These guys carry SecurityFocus business cards, and they handle Symantec vulnerabilities the same way they handle anyone elses," he said. "BugTraq has been operating this way since 1993, it was that way before they acquired us and its remained that way since [the acquisition in] August 2002."

Latest Security News:

Search for more stories by Dennis Fisher.
Find white papers on security.