If more of Drupal community members will know about newest vulnerabilities, then faster these vulnerabilities will be resolved. As I have mention in my previous message - it is not necessary to expose exploit info. Some might say that hacker will then make more damage. Well let me inform you - hacker can exploit problems on your server on they own even without any problem description. You can be your own "hacker" by simply evaluating your web applications and web sites with many vulnerabilities assessment and testing tools available on a market (many of them is open source). The only issue here that I see is security team is not trust to Drupal community own members. May be some solution is possible here like a member certification program. Which can be considered as transitional from "non-trusted" (simple Drupal user) to trusted developer who can help in his spare time without be under pressure of security team bosses. Alex Mikkel Høgh wrote:
On 01/10/2008, at 13.00, Derek Wright wrote:
I'm glad you raised your concern (we are an open development community, and discussing concerns like this is part of that), but the overwhelming response has been: "NO, that'd be crazy, we prefer a closed security team and responsible disclosure".
I'd just like to say that Derek is completely and absolutely right here. Responsible disclosure is the only way we can reasonably handle security vulnerabilities, and were it not for that policy, I would not be using Drupal for anything remotely important, because the chance of some guy being quicker than me and hitting me with a zero-day exploit would be unreasonably high.
So while you might disagree, I think the great majority of Drupal developers are quite happy about this policy, and I don't think it'll change in the near future.
-- Kind regards,
Mikkel Høgh <mikkel@hoegh.org>