On 12/14/12 8:04 PM, Pádraic Brady wrote:
Hi all,
If I can briefly chip in, you should also add a step where the
reporter may review both the fixes and the security announcement
before being published. This would add a small safeguard to ensure
their concerns were fully addressed before going public. It would also
be wise, internally, to ensure a reported issue is fully researched -
both Symfony and ZF released XML Injection fixes that only addressed
one variation of this attack for a limited number of effected classes
and which later needed further fixes in a separate release some months
later.
Good idea. Done.
There should be an assumption that a reporter will note something
specific and not have performed any extensive code review to find
similar, related or underlying issues of equal or greater importance.
At the same time, having a public disclosure may allow Bad People to
zero on areas that are potentially exploitable so we wouldn't want
anything to be overlooked :).
Paddy
--
--
If you want to report a vulnerability issue on Symfony, please read the
procedure on http://symfony.com/security
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
