I think that the process currently in place has proven itself over time to be reliable and accountable to the community. There are very few restrictions in place that would prevent a member of the Drupal community from joining the security team, but I am glad that there is a vetting process that ensures that the skills and motivation of the security team members is in-line with the goals of that team and the community-at-large. The security review and resolution process at drupal is one of the things that has allowed my company to use drupal as a part of systems that handle ePHI (electronic protected health information) which have been successfully audited as HIPAA (Health Insurance Portability and Accountability Act) compliant. --Eric On Wed, October 1, 2008 10:08 am, Web Developer wrote:
Is it everybody here so quick to see another person logic flaw, where in fact you just have to think a little further?
I did not suggest that you have to give such detail description that will expose exploit right away. But I'm sure in most cases experienced developer/tester can come up with explanatory description without exposing too much. I agree that some problem could be so obvious so any explanation will expose exploit info. Okay, but it is only one case. There are many problems that are not so obvious.
Alex
Patrick Teglia wrote:
it does not mean that exploit information has to be exposed. But detail description of the problem can help on its own even before solution come out. I am sorry, but even a guy with a Security+ certification (in other words, me :) ) can see the flawed logic in this statement. A detailed description of the problem is a description of the vulnerability that attackers would EXACTLY be looking for. Patrick Teglia On Wed, Oct 1, 2008 at 7:19 AM, Web Developer <lapurd@gmail.com> wrote:
it does not mean that exploit information has to be exposed. But detail description of the problem can help on its own even before solution come out.