[development] Irresponsible security researcher

Adam Ely adame780 at gmail.com
Wed May 13 01:30:15 UTC 2009 

Seriously, the fact that the info is in the whois database means he is not
concerned with it being out there. Furthermore, why act so childish? It is
obvious that Mr. Keane is merely concerned with being credited with his
discoveries and no matter what you do he will continue down this path of
(irresponsible) full disclosure.   Should the community stoop to a lower
level just because someone does? Do you think this will discourage others
from doing the same?

The fact is there is a difference in full disclose and responsible full
disclosure and Mr. Keane should follow the latter.  Read RFP's RFPolicy for
a good start on what is considered respnsible for both parties,
http://www.wiretrip.net/rfp/policy.html.

Adam

On Tue, May 12, 2009 at 6:22 PM, Karoly Negyesi <karoly at negyesi.net> wrote:

> Hi,
>
> This guy believes in full disclosure so much he discloses everything
> he finds instead letting us fix and disclose. This happened more than
> once. So surely he wont mind if I disclose his mail sent to the
> security list. According to whois, he is
>
>      Justin Klein Keane
>      1122 Green Street
>      Philadelphia, PA 19123
>      US
>      Phone: 1-215-2320909
>      Email: jkeane at madirish.net
>
> I will let the creative members of the Drupal community figure out
> ways to express their displeasure with his practice. Mail follows:
>
> Hello,
>
>  First let me state that I love Drupal and evangelize it openly.  I run
> a Drupal users group at my place of employment and have given
> presentations on the advantages of Drupal at several conferences.  I
> frequently recommend adoption of Drupal and defend its security track
> record.
>
>  However, as I said before, I think we've been round the philosophical
> differences between Drupal security and myself before, and we simply
> disagree.  The first thing I do when I discover a vuln is warn all my
> colleagues who have Drupal installed.  It only makes sense that I warn
> everyone.  I'm not under any illusions that I'm the best at what I do.
> The "bad guys" get paid to find these vulns, and they don't disclose
> them.  If I've found a vuln, unless you somehow accept that I'm the best
> at doing this, then you must know that the "bad guys" already know about
> the vuln.  Full disclosure informs end users so they can make an
> informed decision about whether or not to continue running the system,
> or whether they need to modify the app or their deployment.
>
> I have discovered vulnerabilities before for which Drupal team has not
> given me credit.  Drupal security and I have also disagreed over the
> severity of security issues which has resulted in patches not being
> developed (http://drupal.org/node/372836).  This combined with the
> sarcastic replies I often get from the security team, makes me leery of
> their commitment to credit my discoveries.  Furthermore, I've inquired
> as to contributions I could make to Drupal security team but was
> rebuffed.  So, here's what I have in conclusion:
>
> 1)  I believe people using Drupal deserve to know about vulnerabilities
> as soon as possible because "bad guys" already know about them.
> 2)  I don't trust that Drupal security would actually credit me,
> especially now that relations have sufficiently soured
> 3)  Drupal security seems cliquish and hasn't given me any incentive to
> work within their framework.
>
> I think that leaves us at pretty good loggerheads.  I understand you
> have a tough, and probably thankless job.  I laud the contributions you
> are making to a wonderful open source product.  I will be the first to
> stand up and say you all do a great job at keeping Drupal secure.  I
> will continue to inform Drupal security directly when I discover
> vulnerabilities, but I would appreciate it if you could respect my
> motivation for refusing to withhold public disclosure.
>
> All the best and keep up the good work,
>
> Justin C. Klein Keane
> http://www.MadIrish.net
> http://www.LAMPSecurity.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.drupal.org/pipermail/development/attachments/20090512/27254aee/attachment-0001.htm>

More information about the development mailing list