On Tue, Sep 15, 2009 at 6:40 PM, Anthony <wikim...@inbox.org> wrote: > There are. You didn't want us to describe them in our article, did you?
All nontrivial software has unknown security vulnerabilities. The most anyone can realistically ask is that there are as few vulnerabilities discovered as possible, and that they're patched as quickly as possible when that happens. I'm not aware of any reason to believe the MediaWiki is unusually lacking in that respect. I'm not going to join the people who are saying that refusing to disclose vulnerabilities without payment is unethical per se. Security researchers need to eat as well. I won't comment on whether I think you actually do know about any serious vulnerabilities -- it's both impossible to prove either way, and irrelevant to this list. I do think we could use improvement in our procedure to respond to security problems. I've had the experience of sending mail to secur...@wikimedia.org about XSS in the Timeline extension, and having it ignored for a couple of weeks until I pestered the appropriate people on IRC to fix it. Where does that go? Does it just forward to Tim and Brion? It should probably raise alarm bells somewhere and cause someone to be immediately assigned to look into it, but that doesn't appear to happen. It should be noted, though, that actual demonstrated risk is probably more important to users than theoretical patch response times. For whatever reason, attacks on MediaWiki seem to be comparatively rare. I would be interested in hearing of any real-world attacks anyone knows of -- there must have been *some*, but I've never heard of one. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
