Mary Gardiner wrote:
On Wed, Mar 17, 2004, [EMAIL PROTECTED] wrote:
If the bug is in an opensource web app post it to the app's bugzilla list to resolve it. ;-)
Is this good etiquette in the case of serious security breaches? It potentially alerts the entire web-using world to the existence of the problem. If the fix is difficult or complex, this potentially allows exploits to be developed before fixes, which is what you try and avoid when you're reporting a security problem.
I would tend to leave the decision to the developers about whether to post the bug in any publicly accessible place. Of course, the real problem is when the developers are unresponsive.
and this describes the two pages of the cert very well. report the incident and wait a certain time. and if nothing happens or no respond is received, undisclose the bug (via bugtracking tool, bugtraq, ...). but this depends always on the severity of the problem. in any case someone should give the responsible person the time to understand, to analyse and to respond to the problem. and of course the other party should have the time to fix the problem without introducing new problems.
cya -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
