Text Size
Sunday, 19 April 2015 15:42

Responsible disclosure

Written by
Rate this item
(0 votes)
image

There has a been a lot of talk recently about responsible disclosure issues especially with new developers and glory seekers. The VEL team have its own responsible disclosure code, namely that we wont list any Proof of concept or samples. we will only give the bare minimum.. All we ask is...

image

that devs give us details when they update a security issue. As you will see in our listings, we will only say things like "slideshow, xss, 1.8". A little note like that can save people having un-patched versions on their system before they see a disclosure and then may take some time to update giving hackers a chance to exploit it.It also saves any confusion about what is and what isn't a current vel item.

That's why we ask people for their alerts as soon as possible so people know to update but we don't give hackers the tools to do it. we don't link to POC pages or anything like that.Some devs also think that hiding the security update in their change log, or saying it is only a small vulnerability, or saying after a page of product glorification that they have patched the script, is responsible disclosure.

We look forward to hopefully having your alert resolutions[1] as soon as you are aware of them

References

  1. ^ alert resolutions (vel.joomla.org)

Read more https://vel.joomla.org/articles/1679-responsible-dislosure

Read 1559 times Last modified on Tuesday, 15 March 2016 19:26
Login to post comments