Re: [Full-disclosure] Help with reporting

Hash: RIPEMD160

Jeroen van Meeuwen wrote:
> Or you could just report the bug to the list...

I would *NOT* encourage reporting the vulnerability straight to the
list. The advice I'd offer the OP is to report it individually, or use
a coordinator or one of the services like VulnHelp that offer
researchers assistance in vulnerability reporting.

Truth-be-told, I'd encourage the use of coordinators if you have any
hope for a resolution of a PHP security issue. I find that the project
seldom takes vulnerability reports seriously, preferring instead to
ridicule researchers who contribute bug reports.

In addition to the lack of professionalism commonly found amongst team
members, the response process is poorly structured. The project has no
advisory mechanism in place to deal specifically with security issues.
The team often does not credit reporters of security vulnerabilities or
other bugs in its software, if they ever get fixed. The supposed
"process" is so ad hoc that even calling it a process is probably
undeserved praise.

Put simply: PHP's security processes lag far behind even its commercial
competitors -- PHP is the Oracle of open-source and worse. Dealing with
them makes Microsoft and kin look like a cakewalk.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

-- Michael Holstein

Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird -


Description: S/MIME Cryptographic Signature

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Relevant Pages