Re: MP1 Security issue

Sun, 25 Mar 2007 15:15:46 -0800
----- Original Message ----- From: "Chris Shiflett" <[EMAIL PROTECTED]> 
To: "Randal L. Schwartz" <merlyn@stonehenge.com>
Cc: "Geoffrey Young" <[EMAIL PROTECTED]>; "Alex Solovey" <[EMAIL PROTECTED]>; <modperl@perl.apache.org> 
Sent: Sunday, March 25, 2007 4:39 PM
Subject: Re: MP1 Security issue



Randal L. Schwartz wrote:

I get around. I read various mailing lists. I'm not a dumb guy about
Perl stuff. And by the way, I've already been yelled at. :)

But this thing about "[EMAIL PROTECTED]" is something that I
wouldn't have thought to look for.


That's a weak defense. If you're a proponent of full disclosure, say so,
but don't use ignorance as your defense in the same email where you
claim to not be a "dumb guy."

You were probably yelled at for these reasons:

1. You thought you had discovered a serious security vulnerability.

2. You first mentioned it on a public mailing list.

Even if I knew nothing about responsibly reporting security
vulnerabilities, my email to this list would have been something like this: 

"I believe I've discovered a security vulnerability in mod_perl. To whom
should I address my concerns?"

In the future, I highly suggest trying security@, support@, and info@
before disclosing a vulnerability, or ask this list for guidance.

(It might be worth making sure at least one of these works with the
perl.apache.org domain, e.g., [EMAIL PROTECTED])

Chris

--
Chris Shiflett
http://shiflett.org/
I saw my teenage daughter yesterday and finally succeeded in engaging her attention on the subject of Perl, which lasted as long as it took me to explain that I was subscribed to a mailing list concerning a very specialized technology that I was only on the fringes of, but that in the last few days there had been some rapid-fire back and fourth on some hot security issue that was being fixed right before my eyes and that it was the most excitement I had ever seen on a mailing list ever! Well, she was genuinely interested from start to finish. What are the odds of the modperl mailing list being the inspiration for a breakthrough father-daughter moment like that? Pretty astronomical. Thanks you guys. Randal in particular. As ever, the beating heart of Perl. 

Best,
Gerard Clerkin

Reply via email to