This has been a long-recognized and proven thing, but every year we run into more glaring examples. SecurityFocus, who runs the BID database, which is part of Symantec’s DeepSight offering, routinely uses submissions to the Bugtraq mail list to seed their commercial database, sometimes days before approving the post. This means subscribers who use Bugtraq as one of many sources of ‘real-time’ vulnerability intelligence routinely get the short end of the stick. Full-Disclosure, managed by Fyodor and team, do not have that commercial interest in the content of the posts to the FD. Their average turnaround time seems to be considerably better in approving posts. So please, for the industry’s sake, post to Full-Disclosure and stop supporting Bugtraq.
Today’s example: A new CVE popped up in various places. Google showed the first hit to be the BID Database:
EMC only posts their advisories to the Bugtraq list, so we checked there first, since that would be the provenance:
There are EMC advisories visible, but not the one with CVE-2017-4985. Checking again today:
SecurityFocus delayed the post by three days while it was in their database.