[development] Certify Drupal for use in Government (US) Projects

Mikkel Høgh mikkel at hoegh.org
Wed Oct 1 12:42:16 UTC 2008

On 01/10/2008, at 13.00, Derek Wright wrote:
> I'm glad you raised your concern (we are an open development  
> community, and discussing concerns like this is part of that), but  
> the overwhelming response has been: "NO, that'd be crazy, we prefer  
> a closed security team and responsible disclosure".

I'd just like to say that Derek is completely and absolutely right  
here. Responsible disclosure is the only way we can reasonably handle  
security vulnerabilities, and were it not for that policy, I would not  
be using Drupal for anything remotely important, because the chance of  
some guy being quicker than me and hitting me with a zero-day exploit  
would be unreasonably high.

So while you might disagree, I think the great majority of Drupal  
developers are quite happy about this policy, and I don't think it'll  
change in the near future.

Kind regards,

Mikkel Høgh <mikkel at hoegh.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1929 bytes
Desc: not available
Url : http://lists.drupal.org/pipermail/development/attachments/20081001/36821543/attachment.bin 

More information about the development mailing list