Chaim, Having read your report, I got in touch with the author of the said report, [email protected], myself. He replied immediately.
I do not want to quote him, but his message boils down to Trustwave responding to him with the information that Ryan has left Trustwave and that his successor will work on the findings. We'll have to take this with a grain of salt, but honestly, transparency and responsibilities in ModSec and the Core Rules project is a bit lacking from my point of view. I have no doubt things are very clear for you guys working at Trustwave; and it is likely all the information is somewhere to be found. But what I would appreciate a more moderation and an easier way to find the things you need. Examples: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project seems to be the website of the Core Rules. At least it is the number one hit I get on google and duckduckgo. It lists: Project Leader: Ryan Barnett Contributors: Josh Zlatin Roberto Salgado Ashar Javed (@soaj1664ashar) But _you_ are not mentioned. Still you seem to handle things as this. Do you have any authority to speak on behalf of the project? Is Ryan still around in the project? Why was there no farewell message? What is dearly missing is an email address to report security issues with the Core Rules. I mean that would be the address I would be looking for if I were a responsible security researcher with an exploit in my hands. When you take the link to Github, you land on a repository with the last commit two years old. If you read the mailinglists you will find, the development is actually happening, but it's now in the 3.0.0 branch (where the last commit is 4 months old). Ryan forked the 3.0.0 branch in 2012, but it was first mentioned in the core rules mailinglist in July 2015. It's probably my fault I did not check if there were any interesting branches with the core rules in the meantime, but things would really be easier if things would be more transparent. I do not want to do fingerpointing. Even if it may seem so. I want to make clear how things look from the outside for users as me, let alone someone new to ModSec or the Core Rules. Both are great projects and they could be better still (and actually attract contributions) if they were more accessible and transparent. Best regards, Christian On Tue, Sep 15, 2015 at 01:23:18PM +0000, Chaim Sanders wrote: > As far as I am aware we have not received anything. It certainly didn¹t go > to this mailing list and I don¹t recall anything on > [email protected]. I am be preparing a blog post where we analysis > these attacks as we speak. Be on the lookout for it :) > > On 9/15/15, 12:03 AM, > "[email protected] on behalf of > Christian Folini" <[email protected] > on behalf of [email protected]> wrote: > > >Good morning, > > > >What is funny about the paper is, that he lists contact with all > >the other vendors and how they reacted to his responsible > >disclosure, but this is missing for ModSec. > > > >Has there been no contact / no interest to patch in due time? > > > >Ahoj, > > > >Christian > > > > > >-- > >It's easier to ask forgiveness, than it is to get permission. > >-- Radm Grace Hopper, aka Amazing Grace > > > >_______________________________________________ > >Owasp-modsecurity-core-rule-set mailing list > >[email protected] > >http://scanmail.trustwave.com/?c=4062&d=vp331TYeSJtl4OUFeRwH_d8xwpzKptjDeB > >Wj6-tsnQ&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fow > >asp-modsecurity-core-rule-set > > > ________________________________ > > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is strictly prohibited. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format. -- Christian Folini Ringstrasse 2 CH-3639 Kiesen +41 (0)31 301 60 71 (H) +41 (0)79 220 23 76 (M) mailto:[email protected] (Business) mailto:[email protected] (Private) http://www.christian-folini.ch _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
