OSVDB is fuming over Symantec’s unilateral decision to post certain vulnerabilities only at the Symantec AV Center.
In such cases, Symantec posts only an announcement message with a link at Bugtraq… which is hosted by Symantec’s SecurityFocus… which was once 100% independent.
OSVDB points out that security companies come and go… even big ones… along with their vulnerability histories. Symantec’s likelihood of vulnerability modification and/or erasure comes into play as well.
Conclusion: Symantec must post full vulnerability information on disinterested third party sites.
OK. But who’s gonna make ‘em?
2 comments
Comments feed for this article
August 11th, 2006 at 12:22 pm
djfh
This is just bad reporting — there was no “unilateral” decision. Here is a rebuttal:
http://www.securityfocus.com/archive/1/442864/30/0/threaded
August 11th, 2006 at 1:05 pm
BJ Gillette
Hi djfh.
There was no “unilateral” decision? Did you read what’s on the other end of your link?
Dave McKinney (Symantec) wrote that, when he went to the shorter advisories… (and I am quoting here), “I rationalized this exception to myself by considering that this information would be hosted on the Symantec product security advisories page for the long term…”
Stop the tape. Since when did “I rationalized” become mulit-lateral?
In addition, McKinney admits that industry outrage largely based on circulation of OSVDB’s complaint has stimulated a change in thinking. He’s not going to do that anymore.
If “bad reporting” means telling folks how OSVDB felt about what Symantec did… mea culpa.
Now that we have dealt with your peeve, it’s my turn. (And as I just posted a similar thought to a troll from a govt copyright group, I’m giving you the cut-and-paste, which is all your link-and-run is worth):
And do us both a favor. Pass this onto your boss, so your time will be put to better use.