Hey Jordan, really depends on the nature of the bug. If they are severe, maybe email them to me and Thomas off-list? Otherwise, I have no issues if you used the trac and maybe kept the list up to date as well.
In general I agree to wait with disclosure until they are fixed/straightend out so people have a chance to update. Just keep in mind that we are 0.1-rc1 and be gentle! ;)) Till On 8/23/07, Jordan Wiens <[EMAIL PROTECTED]> wrote: > Trying to send again now that I'm actually subscribed. Hopefully > it'll make it through this time! Sorry for all the forward headers. > > -- > Jordan Wiens > Contributing Technology Editor, Security > Network Computing/InformationWeek > 352.871.5109 (m) > jordanwiens (im) > > > Begin forwarded message: > > > From: Jordan Wiens <[EMAIL PROTECTED]> > > Date: August 12, 2007 6:35:34 PM EDT > > To: [email protected] > > Subject: Fwd: roundcube vulnerability scan > > > > Sent this to [EMAIL PROTECTED], but never heard back. Since this > > is a public list, I've removed descriptions of the raw > > vulnerabilities. Would prefer to handle those privately unless > > explicitly told otherwise. Feel free to contact me via email or > > phone. > > > > -- > > Jordan Wiens > > Contributing Technology Editor, Security > > Network Computing/InformationWeek > > 352.871.5109 (m) > > jordanwiens (im) > > > > > > Begin forwarded message: > > > >> From: Jordan Wiens <[EMAIL PROTECTED]> > >> Date: July 20, 2007 6:59:50 PM EDT > >> To: [EMAIL PROTECTED] > >> Subject: roundcube vulnerability scan > >> > >> I'm using roundcube as a test application for a review on web > >> application vulnerability scanners (http:// > >> www.networkcomputing.com/rollingreviews/Web-Applications- > >> Scanners/) and as a result, I expect to have a variety of > >> vulnerabilities discovered over the course of the review. > >> > >> I wanted to email you to ask a couple of questions. > >> > >> First, how should I submit bugs discovered? Just use trac? Will > >> that make them public? Private email? Let me know what you > >> prefer, I'm happy to do either. > >> > >> Secondly, would you like me to publicly mention which open source > >> webmail project I used for my testing? Or stay anonymous? I'd > >> prefer to not make it public at the very least until all the flaws > >> discovered are fixed, though I doubt that will be a problem since > >> writing the articles takes a while to go through the whole > >> magazine process. Other than that, I'll leave the option up to > >> you as to whether you prefer to be discussed. Note that I don't > >> plan on discussion the exact details of particular > >> vulnerabilities, just the general class and types. > >> > >> Anyway, I've already stumbled across a few ways to evade the cross- > >> site scripting blocking filters when manually looking through the > >> code to see what the application scanners will be up against. > >> > >> Here's samples of vulns I've found so far that will automatically > >> execute javascript without user action besides just opening the > >> email: > > > > <DELETED> > > > >> -- > >> Jordan Wiens > >> Contributing Editor, Security > >> Network Computing/InformationWeek > >> 352.871.5109 (m) > >> jordanwiens (im) _______________________________________________ List info: http://lists.roundcube.net/dev/
