I was hoping to start a discussion over what constitutes a "security" bug in our Bugzlla. This is not meant to criticize any previous decisions around security, merely to gauge how we feel about this as a community.
So, here I'd like to outline the criteria I would suggest for determining whether a bug should be classified as "security" and restricted to the "security team." Please comment. :-) - Bugs which allow false negatives are not security bugs. In particular if a bug allows a carefully crafted message to bypass some, but not all, of SpamAssassin's tests, then it should not be marked as "security". - DOS attacks and other related, *exploitable* bugs that cause disruption to mail-scanning or other problems for the server are security bugs. (I don't consider 4570 to be a security bug, for example. It's just not exploitable by spammers.) - Bugs that allow a specially crafted spammy message to get through regardless of any other charactersistics (i.e. header, body, Bayes and other tests fail to count) may be security bugs. (I'd argue it's not strictly speaking a security issue for the system, but it is something we should maybe not make public. I could be convinced either way on this.) Lastly, I'd like to say that once a bug is outlined in the open, there is no point to hide it after the fact. In fact, all this may accomplish is to hide the fix from our users, even though a description of the "exploit" is publicly available. (Example: bug 4759, 4535, others I'm sure.) -- Duncan Findlay
signature.asc
Description: Digital signature
