Symantec Corp. officials are defending their practices for handling postings to the BugTraq mailing list in the face of criticism from an upstart competitor. The way the list is run hasnt changed since Symantec acquired BugTraqs owner, SecurityFocus, last summer, executives say.
“What I can tell you is that we never delay posting any message to BugTraq. And everyone gets access to the messages at the same time,” said Art Wong, vice president of security response at Symantec, based in Cupertino, Calif., and the former CEO of SecurityFocus.
Wongs comments contradict charges made by executives at Secunia Ltd., a Danish security company that has started a new mailing list meant to replace BugTraq. The list will aggregate vulnerability advisories from several sources. Officials at the company said last week that theyre starting the list because of what they perceive as changes in the way BugTraq has handled notifications in recent months.
“The problem with SecurityFocus is not that they moderate the lists but the fact that they deliberately delay and partially censor the information,” said Thomas Kristensen, chief technology officer of Secunia, based in Copenhagen, Denmark. “Since they were acquired by Symantec, they changed their policy regarding BugTraq. Before, they used to post everything to everybody at the same time. Now, they protect the interests of Symantec, delay information and inform their customers in advance.”
Wong said there is no truth to these accusations.
“The early warnings that our DeepSight customers get come from places like BugTraq and events and incidents that we monitor,” Wong said. “We dont give those alerts [from BugTraq] to our customers any sooner than anyone else gets them.”
The DeepSight Threat Management System, SecurityFocus flagship product, is an early-warning system that pulls data from intrusion detection system firewalls to alert administrators to emerging problems.