On 01/10/2008, at 13.00, Derek Wright wrote:
I'm glad you raised your concern (we are an open development community, and discussing concerns like this is part of that), but the overwhelming response has been: "NO, that'd be crazy, we prefer a closed security team and responsible disclosure".
I'd just like to say that Derek is completely and absolutely right here. Responsible disclosure is the only way we can reasonably handle security vulnerabilities, and were it not for that policy, I would not be using Drupal for anything remotely important, because the chance of some guy being quicker than me and hitting me with a zero-day exploit would be unreasonably high. So while you might disagree, I think the great majority of Drupal developers are quite happy about this policy, and I don't think it'll change in the near future. -- Kind regards, Mikkel Høgh <mikkel@hoegh.org>