lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <43908345.8050907@kc.rr.com>
Date: Fri Dec  2 17:24:44 2005
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: Help with reporting

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Jeroen van Meeuwen wrote:
> Or you could just report the bug to the list...

I would *NOT* encourage reporting the vulnerability straight to the
list.  The advice I'd offer the OP is to report it individually, or use
a coordinator or one of the services like VulnHelp that offer
researchers assistance in vulnerability reporting.

Truth-be-told, I'd encourage the use of coordinators if you have any
hope for a resolution of a PHP security issue.  I find that the project
seldom takes vulnerability reports seriously, preferring instead to
ridicule researchers who contribute bug reports.

In addition to the lack of professionalism commonly found amongst team
members, the response process is poorly structured.  The project has no
advisory mechanism in place to deal specifically with security issues.
The team often does not credit reporters of security vulnerabilities or
other bugs in its software, if they ever get fixed.  The supposed
"process" is so ad hoc that even calling it a process is probably
undeserved praise.

Put simply: PHP's security processes lag far behind even its commercial
competitors -- PHP is the Oracle of open-source and worse.  Dealing with
them makes Microsoft and kin look like a cakewalk.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDkINFfp4vUrVETTgRA1qMAKDLDNGB18dQ2TKCWhz4scL0O4FPxwCgzhpS
r7RRj23hMLkXOcogHm9p958=
=iKsq
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3436 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051202/62c5aa01/smime.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ