Not sure how I feel about the overall idea, but the exploit documentation
condition *must* be expanded to specify that the exploit be documented to
the Plone security team, and only the security team. Publicizing of
methodology for an attack must be only after a patch is made available, and
the award would be made only after those conditions are fulfilled.

The attack would need to be via Plone — not the OS or other parts of the
stack like reverse proxy. Open registration must be off in the test install.

On Wed, Nov 25, 2009 at 10:28 PM, Nate Aune <> wrote:

> >
> > All exploits must be documented of course so that we can fix them.
> >
Evangelism mailing list

Reply via email to