[development] Certify Drupal for use in Government (US) Projects
Mikkel Høgh
mikkel at hoegh.org
Wed Oct 1 12:42:16 UTC 2008
On 01/10/2008, at 13.00, Derek Wright wrote:
> I'm glad you raised your concern (we are an open development
> community, and discussing concerns like this is part of that), but
> the overwhelming response has been: "NO, that'd be crazy, we prefer
> a closed security team and responsible disclosure".
I'd just like to say that Derek is completely and absolutely right
here. Responsible disclosure is the only way we can reasonably handle
security vulnerabilities, and were it not for that policy, I would not
be using Drupal for anything remotely important, because the chance of
some guy being quicker than me and hitting me with a zero-day exploit
would be unreasonably high.
So while you might disagree, I think the great majority of Drupal
developers are quite happy about this policy, and I don't think it'll
change in the near future.
--
Kind regards,
Mikkel Høgh <mikkel at hoegh.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1929 bytes
Desc: not available
Url : http://lists.drupal.org/pipermail/development/attachments/20081001/36821543/attachment.bin
More information about the development
mailing list