[development] Certify Drupal for use in Government (US) Projects

[Web Developer]

If more of Drupal community members will know about newest 
vulnerabilities, then faster these vulnerabilities will be resolved.
As I have mention in my previous message - it is not necessary to expose 
exploit info.
Some might say that hacker will then make more damage. Well let me 
inform you - hacker can exploit problems on your server on they own even 
without any problem description.
You can be your own "hacker" by simply evaluating your web applications 
and web sites with many vulnerabilities assessment and testing tools 
available on a market (many of them is open source).
The only issue here that I see is security team is not trust to Drupal 
community own members.
May be some solution is possible here like a member certification 
program. Which can be considered as transitional from "non-trusted" 
(simple Drupal user) to trusted developer who can help in his spare time 
without be under pressure of security team bosses.

Alex


Mikkel Høgh wrote:
> On 01/10/2008, at 13.00, Derek Wright wrote:
>> I'm glad you raised your concern (we are an open development 
>> community, and discussing concerns like this is part of that), but 
>> the overwhelming response has been: "NO, that'd be crazy, we prefer a 
>> closed security team and responsible disclosure".
>
> I'd just like to say that Derek is completely and absolutely right 
> here. Responsible disclosure is the only way we can reasonably handle 
> security vulnerabilities, and were it not for that policy, I would not 
> be using Drupal for anything remotely important, because the chance of 
> some guy being quicker than me and hitting me with a zero-day exploit 
> would be unreasonably high.
>
> So while you might disagree, I think the great majority of Drupal 
> developers are quite happy about this policy, and I don't think it'll 
> change in the near future.
>
> -- 
> Kind regards,
>
> Mikkel Høgh <mikkel at hoegh.org>