Hi, This guy believes in full disclosure so much he discloses everything he finds instead letting us fix and disclose. This happened more than once. So surely he wont mind if I disclose his mail sent to the security list. According to whois, he is
Justin Klein Keane 1122 Green Street Philadelphia, PA 19123 US Phone: 1-215-2320909 Email: jke...@madirish.net I will let the creative members of the Drupal community figure out ways to express their displeasure with his practice. Mail follows: Hello, First let me state that I love Drupal and evangelize it openly. I run a Drupal users group at my place of employment and have given presentations on the advantages of Drupal at several conferences. I frequently recommend adoption of Drupal and defend its security track record. However, as I said before, I think we've been round the philosophical differences between Drupal security and myself before, and we simply disagree. The first thing I do when I discover a vuln is warn all my colleagues who have Drupal installed. It only makes sense that I warn everyone. I'm not under any illusions that I'm the best at what I do. The "bad guys" get paid to find these vulns, and they don't disclose them. If I've found a vuln, unless you somehow accept that I'm the best at doing this, then you must know that the "bad guys" already know about the vuln. Full disclosure informs end users so they can make an informed decision about whether or not to continue running the system, or whether they need to modify the app or their deployment. I have discovered vulnerabilities before for which Drupal team has not given me credit. Drupal security and I have also disagreed over the severity of security issues which has resulted in patches not being developed (http://drupal.org/node/372836). This combined with the sarcastic replies I often get from the security team, makes me leery of their commitment to credit my discoveries. Furthermore, I've inquired as to contributions I could make to Drupal security team but was rebuffed. So, here's what I have in conclusion: 1) I believe people using Drupal deserve to know about vulnerabilities as soon as possible because "bad guys" already know about them. 2) I don't trust that Drupal security would actually credit me, especially now that relations have sufficiently soured 3) Drupal security seems cliquish and hasn't given me any incentive to work within their framework. I think that leaves us at pretty good loggerheads. I understand you have a tough, and probably thankless job. I laud the contributions you are making to a wonderful open source product. I will be the first to stand up and say you all do a great job at keeping Drupal secure. I will continue to inform Drupal security directly when I discover vulnerabilities, but I would appreciate it if you could respect my motivation for refusing to withhold public disclosure. All the best and keep up the good work, Justin C. Klein Keane http://www.MadIrish.net http://www.LAMPSecurity.org