Seriously, the fact that the info is in the whois database means he is not concerned with it being out there. Furthermore, why act so childish? It is obvious that Mr. Keane is merely concerned with being credited with his discoveries and no matter what you do he will continue down this path of (irresponsible) full disclosure.   Should the community stoop to a lower level just because someone does? Do you think this will discourage others from doing the same?

The fact is there is a difference in full disclose and responsible full disclosure and Mr. Keane should follow the latter.  Read RFP's RFPolicy for a good start on what is considered respnsible for both parties, http://www.wiretrip.net/rfp/policy.html.

Adam

On Tue, May 12, 2009 at 6:22 PM, Karoly Negyesi <karoly@negyesi.net> wrote:
Hi,

This guy believes in full disclosure so much he discloses everything
he finds instead letting us fix and disclose. This happened more than
once. So surely he wont mind if I disclose his mail sent to the
security list. According to whois, he is

     Justin Klein Keane
     1122 Green Street
     Philadelphia, PA 19123
     US
     Phone: 1-215-2320909
     Email: jkeane@madirish.net

I will let the creative members of the Drupal community figure out
ways to express their displeasure with his practice. Mail follows:

Hello,

 First let me state that I love Drupal and evangelize it openly.  I run
a Drupal users group at my place of employment and have given
presentations on the advantages of Drupal at several conferences.  I
frequently recommend adoption of Drupal and defend its security track
record.

 However, as I said before, I think we've been round the philosophical
differences between Drupal security and myself before, and we simply
disagree.  The first thing I do when I discover a vuln is warn all my
colleagues who have Drupal installed.  It only makes sense that I warn
everyone.  I'm not under any illusions that I'm the best at what I do.
The "bad guys" get paid to find these vulns, and they don't disclose
them.  If I've found a vuln, unless you somehow accept that I'm the best
at doing this, then you must know that the "bad guys" already know about
the vuln.  Full disclosure informs end users so they can make an
informed decision about whether or not to continue running the system,
or whether they need to modify the app or their deployment.

I have discovered vulnerabilities before for which Drupal team has not
given me credit.  Drupal security and I have also disagreed over the
severity of security issues which has resulted in patches not being
developed (http://drupal.org/node/372836).  This combined with the
sarcastic replies I often get from the security team, makes me leery of
their commitment to credit my discoveries.  Furthermore, I've inquired
as to contributions I could make to Drupal security team but was
rebuffed.  So, here's what I have in conclusion:

1)  I believe people using Drupal deserve to know about vulnerabilities
as soon as possible because "bad guys" already know about them.
2)  I don't trust that Drupal security would actually credit me,
especially now that relations have sufficiently soured
3)  Drupal security seems cliquish and hasn't given me any incentive to
work within their framework.

I think that leaves us at pretty good loggerheads.  I understand you
have a tough, and probably thankless job.  I laud the contributions you
are making to a wonderful open source product.  I will be the first to
stand up and say you all do a great job at keeping Drupal secure.  I
will continue to inform Drupal security directly when I discover
vulnerabilities, but I would appreciate it if you could respect my
motivation for refusing to withhold public disclosure.

All the best and keep up the good work,

Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org