[Ruby] Proper Way to Report a Security Hole in LoginGenerator?

[Ian Searle]

"the proper process"?  I don't know that there is one.  But, keeping  
a vulnerability secret until it's been fixed is how big commercial  
vendors want us all to behave.  Furthermore, even after the  
vulnerability is fixed, they don't want exploit details published.   
These behaviors are for their benefit, not the customer's.

Sure, give the author a chance to fix the issue before publishing  
anything publicly. But, when it's fixed, please publish the details  
of the vulnerability/exploit so that the community can learn from  
it.  Keeping the detail secret insure that someone else will repeat  
the same mistake.

Thanks,
----------
Ian Searle
ians at potatoplanet.org



On Jun 27, 2007, at Jun/27 - 9:42 PM, Aaron Goldfeder wrote:

> I'm a complete noob to the rails community and any help is  
> appreciated.
>
> I found a security bug in the LoginGenerator gem (1.2.2). Its part  
> of the
> generated code so may be in quite a few sites.  Easy to exploit,  
> easy to
> fix. On a scale of 1-5 where 5 is most severe, i'd call it a 3.
>
> I'd rather not post the details of the issue on the web or mailing  
> list
> until the proper process has happened - assuming such a thing  
> exists :)
>
> Anyone have any tips?
>
> Thanks!
>
> Aaron
> _______________________________________________
> Ruby at zenspider.com - Seattle.rb non-commercial list
> http://www.zenspider.com/seattle.rb
> http://www.zenspider.com/mailman/listinfo/ruby