[development] Certify Drupal for use in Government (US) Projects

Web Developer lapurd at gmail.com
Wed Oct 1 13:19:38 UTC 2008 

If you think that oldest BugTraq "full disclosure" listing has a weak 
logic behind, then you are mistaken (http://www.securityfocus.com).
BugTraq as well expose vulnerabilities that does not have solutions yet.
All what I have tried to explain that it does not mean that exploit 
information has to be exposed. But detail description of the problem can 
help on its own even before solution come out.
For me as for open source developer it is kind of natural to associate 
limited disclosure or after solution disclosure with corporations like a 
Microsoft and such but not with open source community.
Another good reason well explained on 
<http://en.wikipedia.org/wiki/Vulnerability_(computer_science)>:
"Analysis and risk rating ensure the quality of the disclosed 
information. The analysis must include enough details to allow a 
concerned user of the software to assess his individual risk or take 
immediate action to protect his assets."
Which is, btw, is very well mentioned in NIST Special Publication 800-51 
"Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability 
Naming Scheme" 
<http://csrc.nist.gov/publications/nistpubs/800-51/sp800-51.pdf>.

If Drupal security team made a decision to follow another path, its okay.
But you should not judge another people in this matter so quick.
Anyway, I have tried to be polite but since I have receive such a 
suspicious in bad intentions and arrogant perception here (at least that 
is what I feel now), I think I will standout for now in my true 
intentions to help and let you enjoy status of "overworked and 
understaffed" security team.

Alex


Derek Wright wrote:
>
> On Oct 1, 2008, at 3:37 AM, Web Developer wrote:
>
>> It is just sad that the only thing you see in my notes is intention 
>> to get this kind of information at soon as possible.
>
> It is just sad that you're not paying attention to what we're saying.  
> Another reason you probably wouldn't be a good fit for the security 
> team. ;)
>
> I explicitly wrote:
>
>>> If you said "I'm really interested in security and want to help fix 
>>> vulnerabilities, here are my skills I'm bringing to the table, 
>>> references that prove [sic] I'm not malicious, etc", we'd strongly 
>>> consider it.
>
> You *never* said *anything* like that in this entire thread.  All 
> you've said can be summarized with these 3 quotes:
>
> 1) "I thought that Drupal is an open community of open source 
> developers working under GPL license.
> Does it mean that ALL issues have to be openly reported to all 
> community for everybody to review?
> Don't you all think that handling security issues behind closed doors 
> until a fix and advisory will be sent out is sound more like corporate 
> way of thinking on a way to develop something proprietary?"
>
> 2) "All what I meant is all developers in the community would like to 
> have at least a clue about what security issues are discovered. And 
> deal with them on temporary basis on they own sites until final 
> solution will be published."
>
> 3) "Okay, what is procedure then in order to join security forces 
> here? If that is the only way to get information necessary to get the 
> picture about latest security issues."
>
> Many of us have tried to point out the weaknesses in the logic of #1 
> and #2, and tried to explain why #3 is not a sufficient reason to join 
> the security team.  You've just kept coming back saying that the 
> security team is closed (true), corporate (false), and that no one is 
> reading between the lines of your messages that what you *really* mean 
> is "I'd love to help fix vulnerabilities because I'm a security expert 
> and I have an established track record of closing exploits through 
> careful audits, thorough testing, and responsible disclosure."  Please.
>
> I'm glad you raised your concern (we are an open development 
> community, and discussing concerns like this is part of that), but the 
> overwhelming response has been: "NO, that'd be crazy, we prefer a 
> closed security team and responsible disclosure".  It's ok to be 
> outvoted, just be honest and graceful about it and no one will think 
> poorly of you...
>
> -Derek (dww)
>
>
>

More information about the development mailing list