In security circles, if the reporter feels that the bug is not being recognized or dealt with adequately by the dedicated project team, then they have the option (and some responsibility) to report it to the wider community. But *starting* with public disclosure of a security issue is correctly regarded as irresponsible. It serves the ego, enables widespread casual exploits and makes the project look bad without giving them a chance to fix it first.
Depending on the complexity of the bug and whether or not it is being actively exploited in the wild (and project release methodology), the acceptable duration can vary, anywhere from a couple weeks to several months. A reporting system can have a conservative revert-to-public duration built in. In no case is there grounds to just bury a security bug indefinitely. --joe
_______________________________________________ Koha-devel mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
