[VulnWatch] Administrivia: acceptable postings
From: Chris Wysopal (weld@vulnwatch.org)
Date: 03/26/03
- Previous message: Martin O'Neal: "[VulnWatch] Corsaire Security Advisory - Symantec Enterprise Firewall (SEF) H TTP URL pattern evasion issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Mar 2003 21:43:04 +0000 (GMT) From: Chris Wysopal <weld@vulnwatch.org> To: vulnwatch@vulnwatch.org, <vulndiscuss@vulnwatch.org>
There have been some questions as to which postings are in and out of scope
for the VulnWatch list. This is the VulnWatch approval policy.
VulnWatch Acceptable Postings
-----------------------------
Announcements of new vulnerabilties in software or hardware. These
typically take the form of a security researcher's or product vendor's
advisory, but may be less formal.
Additional postings on the same topic must include significant new
information concerning the vulnerability. For example, if a researcher
posts a detailed advisory, a later vendor's advisory will typically be
rejected unless it adds significant new vulnerability detail.
VulnWatch Unacceptable postings
-------------------------------
Vendor or coordinator bulletins that add no more information above what has
already been published.
Vulnerabilities that have negligible impact:
* XSS issues that have negligible impact. Example: user can send
themselves javascript by doing a search on a web site.
* Info disclosure issues that have negligible impact. Example: error
message discloses the document root of the web server.
* Issues that require an another unknown or already known vulnerability to
have any impact. Example: if user shares out their filesystem, sensitive
unencrypted data may be disclosed. Announcemnt of 2 new distinct issues
that combine to form a vulnerability are acceptable.
* Vulnerabilities in custom software that only effect one site.
Announcements of tools or conferences.
Discussion followups to an announcement.
VulnWatch Postings Forwarded ToVulnDiscuss
------------------------------------------
Frequently people comment on advisories sent to the list in a followup
message. VulnWatch is announcment only. VulnDiscuss was created to handle
the discussion that frequently follows an advisory announcement. If a
discussion posting is sent to VulnWatch it will be approved on the
VulnDiscuss list.
VulnDiscuss Acceptable Postings
-------------------------------
Anything technical pertaining to hardware and software vulnerabilities and
the discussion of VulnWatch announcements. This includes vulnerability
finding tools, conferences that discuss vulnerabilities, and discussion of
vulnerability solutions.
VulnDiscuss Unacceptable Postings
---------------------------------
Anything non-technical or not relating to vulnerabilities is prohibited.
As is any advertising or self promotion.
Signed,
VulnWatch Moderators:
Steve Manzuik
Rain Forest Puppy
Chris Wysopal
