OpenBSD Journal

Symmantec acquiring SecurityFocus

Contributed by Dengue on from the 0wn3d dept.

Announced on BugTraq today:
Subject: Administrivia: Symantec acquiring SecurityFocus
   Date: Wed, 17 Jul 2002 15:27:54 -0600

Good day,

Today, SecurityFocus and Symantec announced that Symantec is acquiring
SecurityFocus. Symantec sees real value in the services SecurityFocus
provides to its customers and believes they are an excellent fit with
their current offerings. We at SecurityFocus see this as an opportunity to
provide even better services for the security community.

Symantec recognizes the value and uniqueness of the public services
SecurityFocus provides to the community, such as the numerous mailing
lists we host and the content we provide via the SecurityFocus Online web

In particular, Symantec and SecurityFocus want to ease any fears as to
whether the character of this mailing list will change.

Frequently Asked Questions:

Q. What is the Symantec strategy for keeping data sources?

A. We believe it is critical to maintain the integrity of the existing
   security community currently part of the SecurityFocus portal and
   Bugtraq mailing list.

Q. What is Symantec's disclosure policy?

A. Symantec believes in responsible vulnerability disclosure and is active
   in initiatives to set best practices in this area. Our first priority
   is to help our customers protect their computing assets by providing
   tools and information to safeguard their systems.

   We will work with vendors, if we discover vulnerabilities in other
   products, to report and investigate the issue in a thorough and timely
   fashion, in the same way that Symantec will work with other security
   researchers if they find an issue with any Symantec technology.

   We observe a 30-day grace period after the notification of a security
   advisory to give users an opportunity to apply the patch. During this
   grace period, we provide our customers significant information about
   the vulnerability and the fix, but not step-by-step instructions for
   exploiting the vulnerability. We do not provide detailed exploit code
   or provide samples of malicious code except to other trusted security
   researchers and in a secured manner.

Q. Will Symantec change SecurityFocus' vulnerability reporting policy?

A. We believe that in order for the SecurityFocus/Bugtraq community to be
   effective, it must be an independent entity. We believe that its
   current disclosure policy is appropriate for the venue. Symantec will
   continue to operate with its separate disclosure policy.

Elias Levy, David Ahmad,
and the rest of the SecurityFocus staff

(Comments are closed)

  1. By Anonymous Coward () on

    Oh well, another one bites the dust.

  2. By Anonymous Coward () on

    ωνω mode/#securityfocus [+lame symantec] by AnonCoward

  3. By RC () on

    We do not provide detailed exploit code or provide samples of malicious code except to other trusted security researchers and in a secured manner.

    Great, just great. You no longer get to test your own systems using exploit code pulled off of securityfocus, unless you are one of their few 'trusted security partners'.

    As it says on the bugtraq-replacement list at :

    full disclosure is the only way to ensure that everyone, not just the insiders have access to the information we need to survive.

    1. By Anonymous Coward () on

      Personaly, I patch systems when a vulnerabilities are found. Apparently you run exploits against yours...


      1. By Anonymous Coward () on

        So you patch eventhough there might not be any need for that? Due to configuration or due to not having that specific application?
        You are not worried about applications made by companies who claim that their software won't work if you install system above SP1? <-- they do exist

        1. By Anonymous Coward () on

          For the most part yes. If theres a vulnerability found in a daemon that I use, I'm going to patch it. ...and I certainly dont run any software that would require me to run an unpatched version of openbsd :p

    2. By Cokeman () on

      This annoys me. Trying out exploits posted om bugtraq to generate signatures designed for tools such as Snort is something I'll definately miss.

  4. By Not Really Anonymous () on

    Since Symantec is now taking over SecurityFocus and Bugtraq, who will the security community look to?



Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]