Op vrijdag 3 juni 2011 22:03:50 schreef MJ Ray: > Please, no closed list for development discussions. If someone finds > a security vulnerability and has a support provider, they should > tell them. If they do not, contact the project release manager - > hopefully we always have release managers who value security highly.
That's not really possible for people outside the project to figure out easily. We want to make it as easy as possible for vulnerabilities to be reported. > I'd encourage everyone to practice full disclosure and discuss them on > the BTS or koha-devel as much as possible. That's not how responsible disclosure (which is distinct from, and an improvement upon full disclosure) works. Typically you want as few people as possible to know about the vulnerability until it's been patched and released. This keeps the users as secure as is reasonably possible. The standard approach, taken by many open source projects, is to have some really easy way of confidentially reporting vulnerabilities, these are then resolved and released, at which point an announcement is made. Ideally this announcement consists of a workaround if possible, a patch for older versions (if you can't upgrade for some reason), and a release with that patch included. This ensures that the risk of an active exploit finding it's way into the wild is reduced before people have a reasonable chance to do something about it. This is one of the few situations where I think development in private, or at least semi-private, is a good thing. -- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Koha-devel mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
