On Mittwoch, 6. Mai 2009, Ryan Lane wrote:
> > Thanks for this. As Markus mentioned, full disclosure may not have been
> > the preferred route, but the fault is all mine as I contributed the
> > Ploticus format.
> > I'm currently working on a whitelisted, prefab-only version of
> > SRF-Ploticus. Script mode will be totally disabled, but SMW users who
> > want custom plots can always do it securely by adding their own custom
> > scripts in their ploticus prefabs directory.
> Good to hear you are working on a secure replacement.
> I almost always do full disclosure. Since this isn't the preferred
> method here, who should I be sending security vulnerability reports
> to? It isn't always easy to find the maintainer for some things. Also,
> how long should I wait for a fix before I do full disclosure? I
> usually give a maximum of 2 weeks on critical vulnerabilities when
> asked not to do full disclosure.
I guess I should comment on this. First of all, details about security alerts
can be sent to Denny, Yaron, and me directly in order to not publish exploits
too quickly. I am fine with you publishing anything after two weeks, but I am
not aware of any earlier mail on the subject. Another option is to sent a
notice to the devel list saying that there is a security problem without
details on how to exploit it.
Personally, I think full disclosure is a means of forcing software majors to
react quickly to known vulnerabilities. For very widely used software, there
is also a higher chance that some "bad guys" have discovered the problem
already anyway, so disclosure just restores a status quo. Since SMW is neither
a software major nor a typical target for professional attackers, I would not
go for full disclosure here. Chances are that a security problem is only ever
exploited due to such disclosures in the first place (you can use Google to
find new security alerts very effectively, using an unfocussed search that is
not limited to some software product). My concern is that we have no means to
inform all users of SMW in a reliable way (though I did my best to publish the
Yet, I still prefer full disclosure over not reporting a security issue at
all. So don't get me wrong: we certainly appreciate your comments! I do not
think that much damage was done in this case anyway, since Ploticus is still
fairly new, and it requires additional software installation and user
expertise. So I assume that only few public sites would actually use the
extension by now.
> Ryan Lane
>--- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK
> i700 Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> Semediawiki-devel mailing list
Semantic MediaWiki http://semantic-mediawiki.org