When I am involved in Security questions I try to discuss security breaches in terms of confidentiality, integrity and availability.
If something is suppossed to be confidential, but a workaround makes it not so - it is a security breach; idem for integrity - a workaround makes it possible to modify data without any application knowledge hence affecting application integrity; availability - if a "workaround" disrupts application availability then it is a security breach. On Fri, Nov 18, 2011 at 11:38 PM, William A. Rowe Jr. <[email protected]>wrote: > After several prods, it seems the security@ and hackathon participants > can't be drawn out of their shells on to dev@. So I'll simply call for > a majority vote on the following statement... > > Resource abuse of an .htaccess config in the form of cpu/memory/bandwidth; > > [ ] Represents a security defect > [ ] Is not a security defect > > This would obviously need to be clarified in the associated .htaccess > documentation, be associated with an advisory and affect the conclusion > of several recent defect reports, both embargoed and discussed plainly > here on this list. >
