Re: [Full-disclosure] Help with reporting



-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Jeroen van Meeuwen wrote:
> Or you could just report the bug to the list...

I would *NOT* encourage reporting the vulnerability straight to the
list. The advice I'd offer the OP is to report it individually, or use
a coordinator or one of the services like VulnHelp that offer
researchers assistance in vulnerability reporting.

Truth-be-told, I'd encourage the use of coordinators if you have any
hope for a resolution of a PHP security issue. I find that the project
seldom takes vulnerability reports seriously, preferring instead to
ridicule researchers who contribute bug reports.

In addition to the lack of professionalism commonly found amongst team
members, the response process is poorly structured. The project has no
advisory mechanism in place to deal specifically with security issues.
The team often does not credit reporters of security vulnerabilities or
other bugs in its software, if they ever get fixed. The supposed
"process" is so ad hoc that even calling it a process is probably
undeserved praise.

Put simply: PHP's security processes lag far behind even its commercial
competitors -- PHP is the Oracle of open-source and worse. Dealing with
them makes Microsoft and kin look like a cakewalk.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

-- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDkINFfp4vUrVETTgRA1qMAKDLDNGB18dQ2TKCWhz4scL0O4FPxwCgzhpS
r7RRj23hMLkXOcogHm9p958=
=iKsq
-----END PGP SIGNATURE-----

Attachment:smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/