Bugtraq

Bugtraq was created on November 5, 1993 by Scott Chasin{{cite web |url=https://www.securityfocus.com/archive/1/description#0.2.1 |title=History |access-date=2021-01-17}} in response to the perceived failings of the existing Internet security infrastructure of the time, particularly CERT. Bugtraq's policy was to publish vulnerabilities, regardless of vendor response, as part of the full disclosure movement of vulnerability disclosure. The list was sometimes spelled BugTraq, but common usage over the years called it Bugtraq. It grew to 2,500 subscribers by May 19, 1995{{cite web |title=From the moderator: READ Please |url=https://seclists.org/bugtraq/1995/May/189 |date=1995-05-19 |access-date=2021-01-17}} and over 40,000 by February, 2000.{{cite web |title=Administrivia |url=https://seclists.org/bugtraq/2000/Feb/191 |access-date=2021-01-17 |date=2000-02-14}}

Elias Levy, known as Aleph One (alluding to the cardinal number aleph one), noted in an interview that "the environment at that time was such that vendors weren't making any patches. So the focus was on how to fix software that companies weren't fixing." Levy considered the idea of abstracting Bugtraq to be platform-specific, to reduce irrelevant information for those interested only in particular operating systems.{{cite web |title=Administrivia |url=https://seclists.org/bugtraq/1999/Oct/123 |date=1999-10-11 |access-date=2021-01-17}}{{cite web |title=Administrivia: Mailing List Software |url=https://seclists.org/bugtraq/2001/Mar/137 |date=2001-03-10 |access-date=2021-01-17}}

Bugtraq was originally hosted at Crimelab.com, run by Scott Chasin. It was moved to the Brown University NetSpace Project—which has since been reorganized as the [http://www.netspace.org/ NetSpace Foundation]—on June 5, 1995, the same day its moderation began. In July 1999 it became the property of SecurityFocus and was moved there.{{cite web |title=Administrivia |url=https://seclists.org/bugtraq/1999/Jul/29 |date=1999-07-05 |access-date=2021-01-17}}{{cite web |title=Symantec Buys SecurityFocus/BugTraq |url=https://www.techdirt.com/articles/20020717/1825218.shtml |date=2002-07-17 |first=Mike |last=Masnick |publisher=TechDirt |access-date=2021-01-17}} SecurityFocus was acquired in full by Symantec on August 6, 2002.{{cite web |url=http://www.symantec.com/press/2002/n020806.html |title=Symantec Acquisition of SecurityFocus Completed |url-status=dead |archive-url=https://web.archive.org/web/20031206020446/http://www.symantec.com/press/2002/n020806.html |date=2002-08-06 |archive-date=December 6, 2003 |access-date=2021-01-17}} As of February 25, 2020, traffic from the list stopped without explanation.{{cite web |url=https://seclists.org/bugtraq/2020/Feb/index.html |title=Bugtraq: 40 messages starting Feb 03 20 and ending Feb 25 20 |access-date=2021-01-17}} In 2002, the Full-Disclosure mailing list was created because many people feeling the list had "changed for the worse".{{cite web |url=https://seclists.org/fulldisclosure/2002/Jul/7 |title=Re: Announcing new security mailing list |date=July 11, 2002 |access-date=2021-01-17}}

On April 30, 2020, Accenture Security completed its acquisition of Symantec's Cybersecurity Services including SecurityFocus, which included Bugtraq.{{cite web |url=https://newsroom.accenture.com/news/accenture-completes-acquisition-of-broadcoms-symantec-cyber-security-services-business.htm |title=Accenture Completes Acquisition of Broadcom's Symantec Cyber Security Services Business |date=April 30, 2020 |website=Accenture.com |access-date=2020-01-17}}

The mailing list was originally unmoderated, then received only occasional moderation that many participants considered inadequate. In one incident, what appeared to be sensitive credit-card information was allowed to be posted.{{cite web |title=Time for moderation? |url=https://seclists.org/bugtraq/1994/Oct/73}} Subsequent posts challenged many aspects of the list, including the full disclosure of vulnerabilities, and suggested it either go unmoderated or that moderators change the way they approached it.{{cite web |title=What is the point here? |url=https://seclists.org/bugtraq/2004/Jan/159}}

Moderation began on June 5, 1995. Elias Levy moderated the list from June 14, 1996 until he stepped down on October 15, 2001. David Mirza Ahmad, one of the many co-authors of [http://www.oreilly.com/catalog/1928994709/ Hack Proofing Your Network, Second Edition], took over from Levy and continued until he stepped down on February 23, 2006.{{cite web |title=Administrivia: New Bugtraq moderator |url=https://seclists.org/bugtraq/2006/Feb/444}} David McKinney, a [https://web.archive.org/web/20060908113851/http://www.symantec.com/Products/enterprise?c=prodinfo&refId=988&cid=1017 DeepSight threat analyst] at Symantec, took over from Ahmad. Moderation duties have now been assumed by another DeepSight analyst, Prasanna.[http://www.securityfocus.com/archive/1/425940/30/1860/threaded SecurityFocus]

During his tenure, Ahmad proposed the list adopt more "community involvement" and "a more democratic process for making important decisions on the future of Bugtraq and the Security Focus website".{{cite web |title=Administrivia: [Important] Community Involvement in the Future of Bugtraq |url=https://seclists.org/bugtraq/2003/Sep/131}} Despite receiving feedback according to Alfred Huger,{{cite web |title=Results of the vote query |url=https://seclists.org/bugtraq/2003/Sep/219}} further community involvement did not manifest.

Delays in list moderation occurred several times, sometimes due to technical issues{{cite web |title=Administrivia: Recent list delays |url=https://seclists.org/bugtraq/2002/Jun/325}} and DDoS attacks.{{cite web |title=Administrivia |url=https://seclists.org/bugtraq/2000/Feb/191}} Other times, posts to the lists vanished due to unspecified "mail problems".{{cite web |title=Administrivia: Mail Problems |url=https://seclists.org/bugtraq/2001/May/58}} In August, 1997, the list went quiet for several days as Aleph One was on vacation and the person entrusted to moderate failed to do so.{{cite web |title=Dead Air |url=https://seclists.org/bugtraq/1997/Aug/100}} After the list was transitioned to SecurityFocus and Symantec acquired the company, some researchers noticed that their posts to the lists were delayed, as moderation no longer occurred on weekends. Despite the delays, vulnerability information from some of those posts were used in Symantec's DeepSight commercial offering which includes a vulnerability database.{{cite web |url=https://blog.osvdb.org/2017/06/16/your-yearly-reminder-to-post-to-full-disclosure-not-bugtraq/ |url-status=dead |archive-url=https://archive.today/20181101194326/https://blog.osvdb.org/2017/06/16/your-yearly-reminder-to-post-to-full-disclosure-not-bugtraq/ |archive-date=2018-11-01 |title=Your yearly reminder to post to Full-Disclosure, not Bugtraq |author=jerichoattrition |date=June 16, 2017 |access-date=2020-05-17 }}

In late 2000, when Levy posted the full content of a Microsoft security advisory to the list, Microsoft complained that it was a copyright violation.{{cite web |title=Administrivia: No More Microsoft Bulletins |url=https://seclists.org/bugtraq/2000/Dec/103}}

As of February 24, 2020, Symantec stopped approving posts to Bugtraq.{{cite web |title=Bugtraq: by thread (Feb 2020 Archive) |url=https://seclists.org/bugtraq/2020/Feb/index.html}} No final message from the list administrators and no statement from Symantec was posted. This came after the [https://www.securityfocus.com/bid/ BID vulnerability database] maintained by Symantec stopped being publicly updated on July 26, 2019, just over one month before it was acquired by Broadcom.{{cite web |title=Broadcom acquires Symantec's enterprise business for $10.7 billion |website=CNBC |date=8 August 2019 |url=https://www.cnbc.com/2019/08/08/broadcom-acquires-symantecs-enterprise-business-for-10point7-billion.html |accessdate=19 May 2020}} On January 1, 2021, Accenture announced that Bugtraq would be shut down.{{cite web|date=2021-01-15|title=BugTraq Shutdown|url=https://seclists.org/bugtraq/2021/Jan/0|access-date=2021-01-17|website=seclists.org}} On January 15, 2021, what appeared to be a final email was sent to the list confirming it was being shut down, citing "resources for the BugTraq mailing list have not been prioritized".{{Cite web|title=Bugtraq: BugTraq Shutdown|url=https://seclists.org/bugtraq/2021/Jan/0|access-date=2021-01-15|website=seclists.org}} However, the decision was reconsidered based on feedback from the community; and on January 17, 2021, Accenture posted a message to the list announcing the continuation of the Bugtraq, {{cite web|date=2021-01-17|title=On Second Thought...|url=https://seclists.org/bugtraq/2021/Jan/1|access-date=2021-01-17|website=seclists.org}} and followed up with a lengthier blog explaining their goals.{{Cite web|title=The Future of Bugtraq {{!}} Accenture|url=https://www.accenture.com/us-en/blogs/cyber-defense/future-of-bugtraq|access-date=2021-02-07|website=WordPressBlog|language=en}} The continuation announcement was the last message ever published to the mailing list and no further activity is recorded in any of the public archives.

• [http://www.securityfocus.com/archive SecurityFocus - Mailing Lists] (Bugtraq is the first mailing list under the Most Popular heading)
• [http://www.bugtraq.gigfa.com BUGTRAQ - VULNERABLE SITES TRACKER] (First Professional Vulnerable Sites Tracker)

Category:Electronic mailing lists