Creating an Open Alternative to Bugtraq?

mbogosian asks: "I am not a sysadmin, nor am I a security expert, but I appreciate those who are. In response to a recent story, I went out and registered two domain names: opentraq.org and opentraq.net. I am hereby throwing down the gauntlet: I am willing to have them resolve to DNS servers belonging to a group of volunteers who wish to start and maintain an Open alternative to security services like BugTraq and others offered at the SecurityFocus website without being encumbered by the OIS Security Vulnerability Reporting And Response Process. I will continue to pay the renewal fees for the names as long as someone wants to continue the the effort. After the project becomes established and is maintained by a reputable (i.e., non-commercial) group of volunteers, I am willing transfer ownership of the domains to that group at no cost. Feel free to contact me if you are interested. Let the discussion begin! " Do you feel such a thing is necessary at this time? Why or why not?

erm

[sydlexic]

let me get this straight, you ripped off an idea, spent $9 bucks on a domain and expect the real hard work to be done by a bunch of grateful volunteers. meanwhile, some dufus thought this was so amazing they posted the story on slashdot. great work all around people. if only it were really this easy.

Bugtraq works just fine

[DeadSea]

The previous article you point to shows recommendations from a group of companies that argue that bug reports should not be made public. Bugtraq does not follow this recommendation, and I doubt that it ever will. Bugtraq fully discloses bugs to the general public and I don't see that changing any time soon.

The bug finding, reporting, fixing, and patching process should minimize the potential damage. If your goal is to minimize damage then neither full immediate discloser or no disclosure is a good answer. Bruce Schneier has written a good article about full disclosure in his Crypto-Gram newsletter.

Unless bugtraq is falling down on the job, why do we need another one?

Yet Another Try... *yawn*

[Hanashi]

This isn't a new idea. Various people or groups dissatisfied with Bugtraq have created their own alternative lists over the years. No one pays much attention to any of them. For a good example, check out BugDev.

I applaud your initiative, but honestly, I don't see either the need or the point.

Re:dude.

[crotherm]

OK.. so how do you fix Security Focus' plan to snip the balls from bugtraq? Watching SF's change from a small site to a very corporate site, I wonder how long it would take for bugtraq to lose what made it the first mail list I read every morning.

IMO, having a open and non-corp backed mail list to handle security buq and the like would be the natural evolution needed to insure sysadmins have the most up to date info.

New twist on an old ploy.

[FreeLinux]

I'm sorry if you are being genuine, as I do not mean to offend but.....

This smells like a slightly new twist on good old domain prospecting, parking, hijacking. You want someone else to build a site that will require a lot of work and moreover, A LOT of bandwidth and in return you will allow them to use your name. So, if this new superfluous site is successful, you get the credit/money with virtually no investment, monetary or sweat equity.

I doubt very much that anyone will take you up on this offer.

"me too"

[aggieben]

I don't see any problem with bugtraq. I'm happily subscribed and read the emails I get. I don't really see the need for effort to duplicate a system that exists and works, more or less. For the parts that don't work so great, there are already several other groups/systems/sites out there (that have been mentioned in this thread), and individuals and very small groups fill in the cracks even further.