Full Disclosure mailing list archives
Re: Help with reporting
From: InfoSecBOFH <infosecbofh () gmail com>
Date: Sat, 3 Dec 2005 01:57:02 -0800
Well said! On 12/2/05, Matthew Murphy <mattmurphy () kc rr com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Jeroen van Meeuwen wrote:Or you could just report the bug to the list...I would *NOT* encourage reporting the vulnerability straight to the list. The advice I'd offer the OP is to report it individually, or use a coordinator or one of the services like VulnHelp that offer researchers assistance in vulnerability reporting. Truth-be-told, I'd encourage the use of coordinators if you have any hope for a resolution of a PHP security issue. I find that the project seldom takes vulnerability reports seriously, preferring instead to ridicule researchers who contribute bug reports. In addition to the lack of professionalism commonly found amongst team members, the response process is poorly structured. The project has no advisory mechanism in place to deal specifically with security issues. The team often does not credit reporters of security vulnerabilities or other bugs in its software, if they ever get fixed. The supposed "process" is so ad hoc that even calling it a process is probably undeserved praise. Put simply: PHP's security processes lag far behind even its commercial competitors -- PHP is the Oracle of open-source and worse. Dealing with them makes Microsoft and kin look like a cakewalk. - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDkINFfp4vUrVETTgRA1qMAKDLDNGB18dQ2TKCWhz4scL0O4FPxwCgzhpS r7RRj23hMLkXOcogHm9p958= =iKsq -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Help with reporting Jeroen van Meeuwen (Dec 02)
- Re: Help with reporting Matthew Murphy (Dec 02)
- Re: Help with reporting InfoSecBOFH (Dec 03)
- Re: Help with reporting Matthew Murphy (Dec 02)