Who should security issues be reported to?

grahamd at dscpl.com.au grahamd at dscpl.com.au
Fri Jan 28 12:17:41 CET 2005


Aahz wrote:
> In article <1106863164.745581.11920 at f14g2000cwb.googlegroups.com>,
>  <grahamd at dscpl.com.au> wrote:
> >
> >Who are the appropriate people to report security problems to in
> >respect of a module included with the Python distribution?  I don't
> >feel it appropriate to be reporting it on general mailing lists.
>
> There is no generally appropriate non-public mechanism for reporting
> security issues.  If you really think this needs to be handled
> privately, do some research to find out which core developer is most
> likely to be familiar with it.  Even before you do that, check
> SourceForge to find out whether anyone else has reported it as a bug.

I find this response a bit dissappointing frankly. Open Source people
make
such a big deal about having lots of people being able to look at
source
code and from that discover security problems, thus making it somehow
making it better than proprietary source code. From what I can see, if
an
Open Source project is quite large with lots of people involved, it
makes it
very hard to try and identify who you should report something to when
there is no clearly identifiable single point of contact for security
related
issues. Why should I have to go through hoops to try and track down who
is appropriate to send it to? All you need is a single advertised email
address
for security issues which is forwarded onto a small group of developers
who can then evaluate the issue and forward it on to the appropriate
person.
Such developers could probably do such evaluation in minutes, yet I
have
to spend a lot longer trying to research who to send it to and then
potentially
wait days for some obscure person mentioned in the source code who has
not touched it in years to respond, if at all. Meanwhile you have a
potentially
severe security hole sitting there wating for someone to expliot, with
the
only saving grace being the low relative numbers of users who may be
using
it in the insecure manner and that it would be hard to identify the
actual web
sites which suffer the problem.

I'm sorry, but this isn't really good enough. If Open Source wants to
say that
they are better than these proprietary companies, they need to deal
with these
sorts of things more professionally and establish decent channels of
communications for dealing with it.

And yes I have tried mailing the only people mentioned in the module in
question and am still waiting for a response.




More information about the Python-list mailing list