incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <apa...@robweir.com>
Subject Re: RE: Population of ooo-security
Date Thu, 28 Jul 2011 23:23:28 GMT
On Thu, Jul 28, 2011 at 6:59 PM, Wolf Halton <wolf.halton@gmail.com> wrote:
> One of the things I think proprietary projects are wrong about is treating
> bugs, including security bugs, as secret private things. The best security
> solution we have is the number of eyes we allow to see the problems. I think
> emulating the paranoia is a mistake. Security-related bugs should go to the
> bug squashing system all bugs go to. Triage and fixes can then follow, and
> the more security-skilled coders can take it from there.
>
> Just my .02ยข
>

Two kinds of vulnerabilities:

1) Those that are newly discovered by this project itself, or by a
responsible third party that has reported it to us. The vulnerability
may be serious, but the threat is still latent because the bad guys
don't know about it yet.  But there is some urgency to fix the issue,
because the bad guys will find out soon eventually.

2) Those vulnerabilities that come to our attention only after they
are actively being used in an attack, the so called  zero-day exploit.

I think in case #2, there is no great reason to keep it a secret. The
"cat is out of the bag" already.  But in case #1, and that is the most
common case, I think it is absolutely critical to keep the
vulnerability from becoming public information until the project has
published a patch.  At that time there are standards for reporting the
vulnerability so customers have a fair shot at hearing about the
problem and patching their systems before the bad guys have time to
deploy an exploit based on the vulnerability.  Once the information is
public, it is a race, between users/admins and the bad guys.  Our job,
in an open source project, is to do whatever we can to make sure the
users/admins have a chance to win.

I would agree with you that security related code should be public and
discussed in public.  That is one advantage that open source has.  We
can have many eyes review our code.  But when you have a report of an
exploitable vulnerability, that is something else.  At that point a
race has started.  Will we patch the issue before someone exploits it?
 Or will the black hats win?

-Rob

Mime
View raw message