Robin Sheat wrote: > Op vrijdag 3 juni 2011 22:03:50 schreef MJ Ray: > > Please, no closed list for development discussions. If someone finds > > a security vulnerability and has a support provider, they should > > tell them. If they do not, contact the project release manager - > > hopefully we always have release managers who value security highly. > > That's not really possible for people outside the project to figure out > easily. We want to make it as easy as possible for vulnerabilities to be > reported.
So let's document the current practice and make it easier? Changing the process, adding more steps and special bug cases seems wrong. > > I'd encourage everyone to practice full disclosure and discuss them on > > the BTS or koha-devel as much as possible. > > That's not how responsible disclosure (which is distinct from, and an > improvement upon full disclosure) works. Typically you want as few people as > possible to know about the vulnerability until it's been patched and > released. > This keeps the users as secure as is reasonably possible. Delayed disclosure (the neutral name for what you describe, because it is highly irresponsible in the eyes of full-disclosure supporters) has often gone too far and resulted in people trying to keep problems secret for far too long, like until every vulnerable system is patched. There are also the risks that someone inside the privileged group leaks information to attackers, while good people outside that privileged group don't even know that there's a problem. Basically, what type of people are we? Would we tell our neighbours that their homes are insecure when there's a burglar about? Or would we keep quiet until we figured out how to secure our own home first? As far as I know, early all of the vulnerabilities that Koha has suffered have been discoverable with fairly simple tools if you knew where to point them - most have needed some access to intranet or related websites, thankfully. > The standard approach, taken by many open source projects, is to have some > really easy way of confidentially reporting vulnerabilities, these are then > resolved and released, at which point an announcement is made. [...] I don't think there is any such standard (got a link?). Yes, many "open source" projects are really closed when it comes to security, but popularity is not a good argument for something, else Koha would almost never be adopted. The disagreement between full and delayed disclosure has been going on in general for at least 150 years, and over 20 for internet security. We're probably not going to change each others' views, but at least know that not everyone wants delayed disclosure. Hope that explains, -- MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op. Webmaster, Debian Developer, Past Koha RM, statistician, former lecturer. In My Opinion Only: see http://mjr.towers.org.uk/email.html Available for hire for various work through http://www.software.coop/ _______________________________________________ Koha-devel mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
