Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <0861ac60-20f3-4fb6-ba6d-28f9506823b8@innerheight.com>
Date: Thu, 17 Apr 2025 09:26:53 +0200
From: Jan Klopper <janklopper@...erheight.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE program averts swift end

That is a bit of a short-sighted response.

We cannot query your brain for information, and thinking that you can 
actively avoid any issues by updating to the newest version is not only 
a fantastic dream, its also a potential route to getting compromised, as 
not every new version of every bit of software is safe, or solves all 
known problems.

Having a query-able and well maintained list of known issues helps in 
cases where you know what software you are using, and what risks you are 
running by using them, regardless of the possibility of updates, 
mitigations or your ability to keep track of mailing lists for every 
software you use.

Yes, money is spend, and a bit much at that, but when you start 
factoring in the people running the thing, and the maintenance the 
lists, hardware, surrounding communication and everything else costs I'm 
not sure there's a cheaper option available. Besides, its a public 
service, moving this to volunteer driven solutions isn't going to 
provide the time critical responses this needs, and moving it to a 
company means there will be profit to be made, or competing lists that 
need to be bought because of balkanization.

On 4/16/25 21:05, Marco Moock wrote:
> Am 16.04.2025 um 16:57:20 Uhr schrieb Rolf Reintjes:
>
>> any comments on this?:
>>
>> https://www.csoonline.com/article/3963190/cve-program-faces-swift-end-after-dhs-fails-to-renew-contract-leaving-security-flaw-tracking-in-limbo.html
> I don't see a real use-case for such databases - especially if they
> consume that much money. I subscribe to the security mailing lists or
> newsgroups for the operating systems and software I use and install new
> versions immediately - if possible automated.
>
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.