Where is the problem? (report, advisory, and the mediation of the security bug)
  • 2004/2/16 8:48

  • sum

  • Just popping in

  • Posts: 10

  • Since: 2002/11/12

In the beginning first of all,
I apologize my having a part of the cause causing confusion
by the topic of the matter.
I think that there was being possible to miss each other
of the button from the first start.

In Japan, in the beginning, the security hole is first
made public by SorceForge.JP. Because this matter was
grandly reported by the mass communication in Japan,
We had to behave before a new cracker appeared.
It was said that conformity was top priority in above all.

On the other hand, worldwide,
To some men though this security hole was the already-known one,
it is one month ago in the vicinity that it had been discovered.
Even if late on the third the second, many people did not have
the influence. We were sure to use for that time, and it to be
better to prepare advisory a complete correction.

There is a story that the attempt of the cracking by a similar way
increased actually after that topic in this site.
It is that we were at first anxious.
It is equivalent to increasing the number of new crackers
that the security hole is made public. I think that it is clearly
shown and I am put.

Re: Where is the problem? (report, advisory, and the mediation of the security bug)
  • 2004/2/16 8:50

  • sum

  • Just popping in

  • Posts: 10

  • Since: 2002/11/12

And I think whether there was incomplete preparation for reception
of the security report in the XOOPS community in Japan.
Though the vender was in other countries in this case,
It was a user in Japan that used it, and used it on the site in Japan.
We have the receipt entrance and bug-tracking, it corresponds to the
security and the function demand to the XOOPS core and appending modules.
Even if the function demand of the module made by the third party is spoken
in our forum, we don't have the receipt entrance of the security to them.
The report can be able to forget in many cases or are reported
directly by the vender if lucky. It is difficult for the user
to report in the language that is not the mother tongue.
There are such circumstances, too.

# Moreover, a lot of Japanese know the event that a certain Japanese
# was arrested by the police recently because of crossing of the way
# of the security report (If you want to learn it in detail, please
# look for by the key words of "Office" and "ACCS".)

The fate of the delivered report is various.
- It will not have been.
- Time hangs in the answer.
- The fix is quietly done on the vender site.
- It is made public only in a local XOOPS community.
- It is likely to be likely to be notified indirectly or directly
on this site by the vender himself or the third party.

Even if it is a module made by the third party, I want the flow
united a little more. It is easy to use for the developer
and each reporter, and is the certain one.

I think CVE, CERT/CC, and BugTraq to be the unsuitable one
in such a usage.


Who's Online

78 user(s) are online (41 user(s) are browsing Support Forums)

Members: 0

Guests: 78



Goal: $100.00
Due Date: Jun 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits