[development] Irresponsible security researcher

Karoly Negyesi karoly at negyesi.net
Wed May 13 01:22:08 UTC 2009 

Hi,

This guy believes in full disclosure so much he discloses everything
he finds instead letting us fix and disclose. This happened more than
once. So surely he wont mind if I disclose his mail sent to the
security list. According to whois, he is

      Justin Klein Keane
      1122 Green Street
      Philadelphia, PA 19123
      US
      Phone: 1-215-2320909
      Email: jkeane at madirish.net

I will let the creative members of the Drupal community figure out
ways to express their displeasure with his practice. Mail follows:

Hello,

 First let me state that I love Drupal and evangelize it openly.  I run
a Drupal users group at my place of employment and have given
presentations on the advantages of Drupal at several conferences.  I
frequently recommend adoption of Drupal and defend its security track
record.

 However, as I said before, I think we've been round the philosophical
differences between Drupal security and myself before, and we simply
disagree.  The first thing I do when I discover a vuln is warn all my
colleagues who have Drupal installed.  It only makes sense that I warn
everyone.  I'm not under any illusions that I'm the best at what I do.
The "bad guys" get paid to find these vulns, and they don't disclose
them.  If I've found a vuln, unless you somehow accept that I'm the best
at doing this, then you must know that the "bad guys" already know about
the vuln.  Full disclosure informs end users so they can make an
informed decision about whether or not to continue running the system,
or whether they need to modify the app or their deployment.

I have discovered vulnerabilities before for which Drupal team has not
given me credit.  Drupal security and I have also disagreed over the
severity of security issues which has resulted in patches not being
developed (http://drupal.org/node/372836).  This combined with the
sarcastic replies I often get from the security team, makes me leery of
their commitment to credit my discoveries.  Furthermore, I've inquired
as to contributions I could make to Drupal security team but was
rebuffed.  So, here's what I have in conclusion:

1)  I believe people using Drupal deserve to know about vulnerabilities
as soon as possible because "bad guys" already know about them.
2)  I don't trust that Drupal security would actually credit me,
especially now that relations have sufficiently soured
3)  Drupal security seems cliquish and hasn't given me any incentive to
work within their framework.

I think that leaves us at pretty good loggerheads.  I understand you
have a tough, and probably thankless job.  I laud the contributions you
are making to a wonderful open source product.  I will be the first to
stand up and say you all do a great job at keeping Drupal secure.  I
will continue to inform Drupal security directly when I discover
vulnerabilities, but I would appreciate it if you could respect my
motivation for refusing to withhold public disclosure.

All the best and keep up the good work,

Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org

More information about the development mailing list