[development] Irresponsible security researcher

[Thomas Zahreddin]

Hi,

i read from this mail and behavior:

- this person wants to improve security of drupal
- he made a patch, that maybe wasn't accepted or he was disapointed with
the procedures of the community
- he made a decission for himself how to handle similiar cases


-> so what's wrong with the person?

Nothing.

(Nobody said, that i or someone else should agree with his decission!)

He is just one more who does not believe in the practices of the
community.

It just files a missed chance of participation.


Best
Thomas Zahreddin

Am Dienstag, den 12.05.2009, 18:22 -0700 schrieb Karoly Negyesi:
> Hi,
> 
> This guy believes in full disclosure so much he discloses everything
> he finds instead letting us fix and disclose. This happened more than
> once. So surely he wont mind if I disclose his mail sent to the
> security list. According to whois, he is
> 
>       Justin Klein Keane
>       1122 Green Street
>       Philadelphia, PA 19123
>       US
>       Phone: 1-215-2320909
>       Email: jkeane at madirish.net
> 
> I will let the creative members of the Drupal community figure out
> ways to express their displeasure with his practice. Mail follows:
> 
> Hello,
> 
>  First let me state that I love Drupal and evangelize it openly.  I run
> a Drupal users group at my place of employment and have given
> presentations on the advantages of Drupal at several conferences.  I
> frequently recommend adoption of Drupal and defend its security track
> record.
> 
>  However, as I said before, I think we've been round the philosophical
> differences between Drupal security and myself before, and we simply
> disagree.  The first thing I do when I discover a vuln is warn all my
> colleagues who have Drupal installed.  It only makes sense that I warn
> everyone.  I'm not under any illusions that I'm the best at what I do.
> The "bad guys" get paid to find these vulns, and they don't disclose
> them.  If I've found a vuln, unless you somehow accept that I'm the best
> at doing this, then you must know that the "bad guys" already know about
> the vuln.  Full disclosure informs end users so they can make an
> informed decision about whether or not to continue running the system,
> or whether they need to modify the app or their deployment.
> 
> I have discovered vulnerabilities before for which Drupal team has not
> given me credit.  Drupal security and I have also disagreed over the
> severity of security issues which has resulted in patches not being
> developed (http://drupal.org/node/372836).  This combined with the
> sarcastic replies I often get from the security team, makes me leery of
> their commitment to credit my discoveries.  Furthermore, I've inquired
> as to contributions I could make to Drupal security team but was
> rebuffed.  So, here's what I have in conclusion:
> 
> 1)  I believe people using Drupal deserve to know about vulnerabilities
> as soon as possible because "bad guys" already know about them.
> 2)  I don't trust that Drupal security would actually credit me,
> especially now that relations have sufficiently soured
> 3)  Drupal security seems cliquish and hasn't given me any incentive to
> work within their framework.
> 
> I think that leaves us at pretty good loggerheads.  I understand you
> have a tough, and probably thankless job.  I laud the contributions you
> are making to a wonderful open source product.  I will be the first to
> stand up and say you all do a great job at keeping Drupal secure.  I
> will continue to inform Drupal security directly when I discover
> vulnerabilities, but I would appreciate it if you could respect my
> motivation for refusing to withhold public disclosure.
> 
> All the best and keep up the good work,
> 
> Justin C. Klein Keane
> http://www.MadIrish.net
> http://www.LAMPSecurity.org