[development] Irresponsible security researcher

Thomas Zahreddin tz at it-arts.org
Wed May 13 07:27:00 UTC 2009


i read from this mail and behavior:

- this person wants to improve security of drupal
- he made a patch, that maybe wasn't accepted or he was disapointed with
the procedures of the community
- he made a decission for himself how to handle similiar cases

-> so what's wrong with the person?


(Nobody said, that i or someone else should agree with his decission!)

He is just one more who does not believe in the practices of the

It just files a missed chance of participation.

Thomas Zahreddin

Am Dienstag, den 12.05.2009, 18:22 -0700 schrieb Karoly Negyesi:
> Hi,
> This guy believes in full disclosure so much he discloses everything
> he finds instead letting us fix and disclose. This happened more than
> once. So surely he wont mind if I disclose his mail sent to the
> security list. According to whois, he is
>       Justin Klein Keane
>       1122 Green Street
>       Philadelphia, PA 19123
>       US
>       Phone: 1-215-2320909
>       Email: jkeane at madirish.net
> I will let the creative members of the Drupal community figure out
> ways to express their displeasure with his practice. Mail follows:
> Hello,
>  First let me state that I love Drupal and evangelize it openly.  I run
> a Drupal users group at my place of employment and have given
> presentations on the advantages of Drupal at several conferences.  I
> frequently recommend adoption of Drupal and defend its security track
> record.
>  However, as I said before, I think we've been round the philosophical
> differences between Drupal security and myself before, and we simply
> disagree.  The first thing I do when I discover a vuln is warn all my
> colleagues who have Drupal installed.  It only makes sense that I warn
> everyone.  I'm not under any illusions that I'm the best at what I do.
> The "bad guys" get paid to find these vulns, and they don't disclose
> them.  If I've found a vuln, unless you somehow accept that I'm the best
> at doing this, then you must know that the "bad guys" already know about
> the vuln.  Full disclosure informs end users so they can make an
> informed decision about whether or not to continue running the system,
> or whether they need to modify the app or their deployment.
> I have discovered vulnerabilities before for which Drupal team has not
> given me credit.  Drupal security and I have also disagreed over the
> severity of security issues which has resulted in patches not being
> developed (http://drupal.org/node/372836).  This combined with the
> sarcastic replies I often get from the security team, makes me leery of
> their commitment to credit my discoveries.  Furthermore, I've inquired
> as to contributions I could make to Drupal security team but was
> rebuffed.  So, here's what I have in conclusion:
> 1)  I believe people using Drupal deserve to know about vulnerabilities
> as soon as possible because "bad guys" already know about them.
> 2)  I don't trust that Drupal security would actually credit me,
> especially now that relations have sufficiently soured
> 3)  Drupal security seems cliquish and hasn't given me any incentive to
> work within their framework.
> I think that leaves us at pretty good loggerheads.  I understand you
> have a tough, and probably thankless job.  I laud the contributions you
> are making to a wonderful open source product.  I will be the first to
> stand up and say you all do a great job at keeping Drupal secure.  I
> will continue to inform Drupal security directly when I discover
> vulnerabilities, but I would appreciate it if you could respect my
> motivation for refusing to withhold public disclosure.
> All the best and keep up the good work,
> Justin C. Klein Keane
> http://www.MadIrish.net
> http://www.LAMPSecurity.org

More information about the development mailing list