On Mon, Oct 10, 2011 at 8:06 AM, Rory O'Farrell <[email protected]> wrote: > On Mon, 10 Oct 2011 07:45:34 -0400 > Rob Weir <[email protected]> wrote: >> Security reports come from security >> reporters. Can you tell us whether "Red Hat, Inc. security >> researcher Huzaifa Sidhpurwala" is a TDF member and whether he >> was reporting this issue under instructions from TDF? > > Does it matter? A careful security report will provide > information on how the problem arises; it would be foolish > for anyone to immediately swing into action with alarm bells > ringing to try to fix a report without first verifying that the > poblem actually exists. Surely any security report undergoes > some form of triage before being advanced to fix. >
It matters only to the degree that Michael was suggesting that there was some breakdown in communications between TDF and Apache over security reports. So it is relevant to know whether the security researcher who reported the issue was actually a TDF/LO developer. I agree that incoming reports undergo triage/verification. In some sense it is no different than any other defect report in that regard. One difference is that when looking at the severity/impact of the defect, we look at it from the perspective of someone trying to exploit a vulnerability, not from the end-user's perspective. So a secruity-related defect in an obscure feature might be considered high severity, even if a function defect in that same area would be considered low severity. -Rob > -- > Rory O'Farrell <[email protected]> >
