Not sure how I feel about the overall idea, but the exploit documentation condition *must* be expanded to specify that the exploit be documented to the Plone security team, and only the security team. Publicizing of methodology for an attack must be only after a patch is made available, and the award would be made only after those conditions are fulfilled.
The attack would need to be via Plone — not the OS or other parts of the stack like reverse proxy. Open registration must be off in the test install. On Wed, Nov 25, 2009 at 10:28 PM, Nate Aune <na...@jazkarta.com> wrote: > > > > All exploits must be documented of course so that we can fix them. > > >
_______________________________________________ Evangelism mailing list Evangelism@lists.plone.org http://lists.plone.org/mailman/listinfo/evangelism