[Koha-devel] Koha Library Software
Joe Atzberger
ohiocore at gmail.com
Thu Jun 16 20:12:40 CEST 2011
In security circles, if the reporter feels that the bug is not being
recognized or dealt with adequately by the dedicated project team, then they
have the option (and some responsibility) to report it to the wider
community. But *starting* with public disclosure of a security issue is
correctly regarded as irresponsible. It serves the ego, enables widespread
casual exploits and makes the project look bad without giving them a chance
to fix it first.
Depending on the complexity of the bug and whether or not it is being
actively exploited in the wild (and project release methodology), the
acceptable duration can vary, anywhere from a couple weeks to several
months. A reporting system can have a conservative revert-to-public
duration built in. In no case is there grounds to just bury a security bug
indefinitely.
--joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/koha-devel/attachments/20110616/6b3dae1d/attachment.htm>
More information about the Koha-devel
mailing list