Hi, i read from this mail and behavior:
- this person wants to improve security of drupal - he made a patch, that maybe wasn't accepted or he was disapointed with the procedures of the community - he made a decission for himself how to handle similiar cases -> so what's wrong with the person? Nothing. (Nobody said, that i or someone else should agree with his decission!) He is just one more who does not believe in the practices of the community. It just files a missed chance of participation. Best Thomas Zahreddin Am Dienstag, den 12.05.2009, 18:22 -0700 schrieb Karoly Negyesi: > Hi, > > This guy believes in full disclosure so much he discloses everything > he finds instead letting us fix and disclose. This happened more than > once. So surely he wont mind if I disclose his mail sent to the > security list. According to whois, he is > > Justin Klein Keane > 1122 Green Street > Philadelphia, PA 19123 > US > Phone: 1-215-2320909 > Email: jke...@madirish.net > > I will let the creative members of the Drupal community figure out > ways to express their displeasure with his practice. Mail follows: > > Hello, > > First let me state that I love Drupal and evangelize it openly. I run > a Drupal users group at my place of employment and have given > presentations on the advantages of Drupal at several conferences. I > frequently recommend adoption of Drupal and defend its security track > record. > > However, as I said before, I think we've been round the philosophical > differences between Drupal security and myself before, and we simply > disagree. The first thing I do when I discover a vuln is warn all my > colleagues who have Drupal installed. It only makes sense that I warn > everyone. I'm not under any illusions that I'm the best at what I do. > The "bad guys" get paid to find these vulns, and they don't disclose > them. If I've found a vuln, unless you somehow accept that I'm the best > at doing this, then you must know that the "bad guys" already know about > the vuln. Full disclosure informs end users so they can make an > informed decision about whether or not to continue running the system, > or whether they need to modify the app or their deployment. > > I have discovered vulnerabilities before for which Drupal team has not > given me credit. Drupal security and I have also disagreed over the > severity of security issues which has resulted in patches not being > developed (http://drupal.org/node/372836). This combined with the > sarcastic replies I often get from the security team, makes me leery of > their commitment to credit my discoveries. Furthermore, I've inquired > as to contributions I could make to Drupal security team but was > rebuffed. So, here's what I have in conclusion: > > 1) I believe people using Drupal deserve to know about vulnerabilities > as soon as possible because "bad guys" already know about them. > 2) I don't trust that Drupal security would actually credit me, > especially now that relations have sufficiently soured > 3) Drupal security seems cliquish and hasn't given me any incentive to > work within their framework. > > I think that leaves us at pretty good loggerheads. I understand you > have a tough, and probably thankless job. I laud the contributions you > are making to a wonderful open source product. I will be the first to > stand up and say you all do a great job at keeping Drupal secure. I > will continue to inform Drupal security directly when I discover > vulnerabilities, but I would appreciate it if you could respect my > motivation for refusing to withhold public disclosure. > > All the best and keep up the good work, > > Justin C. Klein Keane > http://www.MadIrish.net > http://www.LAMPSecurity.org
