Well said!
On 12/2/05, Matthew Murphy <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Jeroen van Meeuwen wrote: > > Or you could just report the bug to the list... > > I would *NOT* encourage reporting the vulnerability straight to the > list. The advice I'd offer the OP is to report it individually, or use > a coordinator or one of the services like VulnHelp that offer > researchers assistance in vulnerability reporting. > > Truth-be-told, I'd encourage the use of coordinators if you have any > hope for a resolution of a PHP security issue. I find that the project > seldom takes vulnerability reports seriously, preferring instead to > ridicule researchers who contribute bug reports. > > In addition to the lack of professionalism commonly found amongst team > members, the response process is poorly structured. The project has no > advisory mechanism in place to deal specifically with security issues. > The team often does not credit reporters of security vulnerabilities or > other bugs in its software, if they ever get fixed. The supposed > "process" is so ad hoc that even calling it a process is probably > undeserved praise. > > Put simply: PHP's security processes lag far behind even its commercial > competitors -- PHP is the Oracle of open-source and worse. Dealing with > them makes Microsoft and kin look like a cakewalk. > > - -- > "Social Darwinism: Try to make something idiot-proof, > nature will provide you with a better idiot." > > -- Michael Holstein > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (MingW32) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFDkINFfp4vUrVETTgRA1qMAKDLDNGB18dQ2TKCWhz4scL0O4FPxwCgzhpS > r7RRj23hMLkXOcogHm9p958= > =iKsq > -----END PGP SIGNATURE----- > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
