Menu
▾
▴
Re: [WebERP-developers] Reporting Of Issues
|
From: icedlava <ice...@gm...> - 2014-03-13 02:27:50
|
Hi Phil, Perhaps there could be a security reporting process that attempts to keep any vulnerabilities out of public eye until they are assessed and fixed and patch posted, depending on the severity. Some security issues are not as severe as others and would not hurt being publicly posted. Others might need urgent attention and fixing prior to publishing any info or hints to it, to ensure websites are not taken advantage of prior to the fix being applied. Example : 1. All security vulnerability posts to go to an email sec...@we... that is received to a closed list, viewable only to a list of developers. There would hopefully be at least one person that could receive /read it immediately and assess the severity, or notify someone who could assess it if they didn't know. Most bug trackers also have the ability to post directly and not be viewed publicly - e.g. only viewable to a permission enabled list of people . 2. This email and/or bug tracker link could be publicised on weberp.org along with how security issues are handled. 3. If it is not a severe vulnerability, it could be publicly published to the list/forum/bug tracker for discussion or fixing 4. If it is severe and needs discussion, it could be posted to a 'closed' forum or bug tracker item that is open to all approved developers. They could address the issue, provide a patch. Once the patch is provided, it could be published openly. 5. Where a report is published openly before it becomes or is known as a severe security issue (e.g. list or forum), then hopefully before any key information is provided about it, discussion can be moved to the closed list/bug tracker for processing as in 3. This problem could be overcome by having a dedicated bug tracker that is always promoted to be used for any issue, as the bug could be hidden to the public along with any existing discussion (in most trackers) as soon as it becomes evident it's a security related one. Just a rough idea. Cheers, On 13 Mar 2014, at 9:46, Phil Daintree wrote: > There is no secrecy here. > > If there is some issue that you are aware of then obviously the meat > of what the issue is about needs to be contained in the message to the > list. It is insufficient to head up a message major vulnerability > referring to private discussions - which I am unaware of BTW - and > suggest there is some major problem without any substance in the mail > of what the issue is! Of course not many people would post such FUD > this way. > > I prefer to have any issues completely on the (developers) table so we > can discuss them and come up with a solution if necessary quickly and > advise the users ASAP. We are an open source project and well ... > open. I do however, try to keep these forums/lists free of > FUD/nonsense. > > I am aware of the $AllowAnyone issue which gave access to the GL Trial > balance - which is now fixed and I have published a note to advise > users. > > If there are any incorrect statements in messages to the list or the > forum then I will try to remove them to avoid misleading anyone. > Although this is not always easy. > > > Phil > > Ph: +64 (0)275 567890 > Skype: daintree > http://www.logicworks.co.nz > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and > their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech_______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers |
