On Wed, Mar 17, 2004, [EMAIL PROTECTED] wrote: > If the bug is in an opensource web app post it to the app's bugzilla > list to resolve it. ;-)
Is this good etiquette in the case of serious security breaches? It potentially alerts the entire web-using world to the existence of the problem. If the fix is difficult or complex, this potentially allows exploits to be developed before fixes, which is what you try and avoid when you're reporting a security problem. I would tend to leave the decision to the developers about whether to post the bug in any publicly accessible place. Of course, the real problem is when the developers are unresponsive. -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
