[development] Certify Drupal for use in Government (US) Projects
Damien Tournoud
damz at prealable.org
Wed Oct 1 14:31:01 UTC 2008
On Wed, Oct 1, 2008 at 4:08 PM, Web Developer <lapurd at gmail.com> wrote:
> I did not suggest that you have to give such detail description that will expose exploit right away.
> But I'm sure in most cases experienced developer/tester can come up with explanatory description without exposing too much.
> I agree that some problem could be so obvious so any explanation will expose exploit info. Okay, but it is only one case.
> There are many problems that are not so obvious.
Our security process can be thought as complying with "responsible
disclosure", as described for example in the RFPolicy [1]. Close
cooperation between security researchers and vendors (ie. us, the
Drupal community) in private before the security vulnerability has
been disclosed has largely proven to be the good way to deal with this
kind of issues.
Our community is open. Discussing issues "inside" the community means
nothing more than discussing those publicly.
Damien Tournoud
[1] http://www.wiretrip.net/rfp/policy.html
More information about the development
mailing list