Security Mailing Lists Come Under Fire

A Danish security company speaks out about what it perceives as censorship on several popular mailing lists.

A Danish security company, angry over what it perceives as censorship on several popular mailing lists, is launching "a revolution to remove SecurityFocus and CERT from power."

At present, the revolution consists of a new mailing list that will aggregate vulnerability advisories and other security-related reports from a variety of sources. Employees of Secunia Ltd. will take advisories from these sources, research and verify them and then submit them to the new list.

The list, known as the Secunia Security Advisories List, is designed to compete with lists such as SecurityFocus BugTraq and to complement more open lists, including VulnWatch and Full-Disclosure, Secunia executives say. Company executives are upset with the direction that BugTraq has taken since Symantec Corp. acquired SecurityFocus last year.

"The problem with SecurityFocus is not that they moderate the lists, but the fact that they deliberately delay and partially censor the information," said Thomas Kristensen, chief technology officer of Secunia, based in Copenhagen, Denmark. "Since they were acquired by Symantec, they changed their policy regarding BugTraq. Before they used to post everything to everybody at the same time. Now they protect the interests of Symantec, delay information and inform their customers in advance. This is a problem as only companies who pay over $30,000 can get access to this information."

Unlike some other security lists, BugTraq is actively moderated and therefore not every submission makes it onto the list.

Full-Disclosure, for instance, is only lightly moderated, meaning that virtually all posts are approved and immediately sent to subscribers.

SecurityFocus officials did not respond to a request for comment on this story.

Secunia officials also take the CERT Coordination Center to task for its policy of providing some organizations with advance notice of vulnerability reports as part of a fee-based program in cooperation with the Internet Security Alliance.

"At Secunia we feel that SecurityFocus has betrayed the community it used to serve so loyally, thats why we started Secunia," said Kristensen. "I believe that security information should be free, so that administrators can patch their systems and software developers can learn from the mistakes made by others."

Secunia is a provider of security services and tools.

Latest Security News:

Search for more stories by Dennis Fisher.
Find white papers on security.