incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wolf Halton <wolf.hal...@gmail.com>
Subject Re: RE: Population of ooo-security
Date Fri, 29 Jul 2011 02:59:57 GMT
Ok, Rob,  If it is a case 1 scenario,  then sure, it makes no sense to
publicize it.
"Oops, I just opened a security hole, I oughta tweet that."
Lol
Wolf

On Jul 28, 2011 7:24 PM, "Rob Weir" <apache@robweir.com> wrote:
> On Thu, Jul 28, 2011 at 6:59 PM, Wolf Halton <wolf.halton@gmail.com>
wrote:
>> One of the things I think proprietary projects are wrong about is
treating
>> bugs, including security bugs, as secret private things. The best
security
>> solution we have is the number of eyes we allow to see the problems. I
think
>> emulating the paranoia is a mistake. Security-related bugs should go to
the
>> bug squashing system all bugs go to. Triage and fixes can then follow,
and
>> the more security-skilled coders can take it from there.
>>
>> Just my .02ยข
>>
>
> Two kinds of vulnerabilities:
>
> 1) Those that are newly discovered by this project itself, or by a
> responsible third party that has reported it to us. The vulnerability
> may be serious, but the threat is still latent because the bad guys
> don't know about it yet. But there is some urgency to fix the issue,
> because the bad guys will find out soon eventually.
>
> 2) Those vulnerabilities that come to our attention only after they
> are actively being used in an attack, the so called zero-day exploit.
>
> I think in case #2, there is no great reason to keep it a secret. The
> "cat is out of the bag" already. But in case #1, and that is the most
> common case, I think it is absolutely critical to keep the
> vulnerability from becoming public information until the project has
> published a patch. At that time there are standards for reporting the
> vulnerability so customers have a fair shot at hearing about the
> problem and patching their systems before the bad guys have time to
> deploy an exploit based on the vulnerability. Once the information is
> public, it is a race, between users/admins and the bad guys. Our job,
> in an open source project, is to do whatever we can to make sure the
> users/admins have a chance to win.
>
> I would agree with you that security related code should be public and
> discussed in public. That is one advantage that open source has. We
> can have many eyes review our code. But when you have a report of an
> exploitable vulnerability, that is something else. At that point a
> race has started. Will we patch the issue before someone exploits it?
> Or will the black hats win?
>
> -Rob

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message