On Wed, Oct 1, 2008 at 4:08 PM, Web Developer <lapurd@gmail.com> wrote:
I did not suggest that you have to give such detail description that will expose exploit right away. But I'm sure in most cases experienced developer/tester can come up with explanatory description without exposing too much. I agree that some problem could be so obvious so any explanation will expose exploit info. Okay, but it is only one case. There are many problems that are not so obvious.
Our security process can be thought as complying with "responsible disclosure", as described for example in the RFPolicy [1]. Close cooperation between security researchers and vendors (ie. us, the Drupal community) in private before the security vulnerability has been disclosed has largely proven to be the good way to deal with this kind of issues. Our community is open. Discussing issues "inside" the community means nothing more than discussing those publicly. Damien Tournoud [1] http://www.wiretrip.net/rfp/policy.html